CVE-2019-20444

CRITICAL

Netty < 4.1.44 - HTTP Request Smuggling

Title source: rule
STIX 2.1

Description

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

References (116)

... and 96 more

Scores

CVSS v3 9.1
EPSS 0.1487
EPSS Percentile 94.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-444
Status published
Products (12)
canonical/ubuntu_linux 18.04
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 33
io.netty/netty 0Maven
io.netty/netty-codec-http 0 - 4.1.44Maven
netty/netty < 4.1.44
org.jboss.netty/netty 0Maven
redhat/jboss_amq_clients 2
... and 2 more
Published Jan 29, 2020
Tracked Since Feb 18, 2026