CVE-2019-20444
CRITICALNetty < 4.1.44 - HTTP Request Smuggling via Malformed HTTP Header
Title source: llmDescription
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
References (116)
Core 116
Core References
Mailing List mailing-list
https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0497
Mailing List mailing-list
https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
Mailing List mailing-list
https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0601
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0606
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0605
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0567
Mailing List mailing-list
https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0806
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0811
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0804
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0805
Mailing List mailing-list
https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
Mailing List mailing-list
https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4532-1/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
Mailing List mailing-list
https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
Third Party Advisory vendor-advisory
https://www.debian.org/security/2021/dsa-4885
Mailing List mailing-list
https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E
Patch, Third Party Advisory
https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/netty/netty/issues/9866
Various Sources
https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-20444/5.0.0.Alpha1/exploit
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
Scores
CVSS v3
9.1
EPSS
0.0868
EPSS Percentile
94.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-444
Status
published
Products (12)
canonical/ubuntu_linux
18.04
debian/debian_linux
8.0
debian/debian_linux
9.0
debian/debian_linux
10.0
fedoraproject/fedora
33
io.netty/netty
0Maven
io.netty/netty-codec-http
0 - 4.1.44Maven
netty/netty
< 4.1.44
org.jboss.netty/netty
0Maven
redhat/jboss_amq_clients
2
... and 2 more
Published
Jan 29, 2020
Tracked Since
Feb 18, 2026