GHSA-wm47-8v5p-wjpj

Suggest an improvement
Source
https://github.com/advisories/GHSA-wm47-8v5p-wjpj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wm47-8v5p-wjpj
Aliases
Related
Published
2021-03-09T18:49:49Z
Modified
2024-08-01T07:13:04.232041Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Possible request smuggling in HTTP/2 due missing validation
Details

Impact

If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodecand then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.

In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.

An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:

POST / HTTP/2
:authority:: externaldomain.com
Content-Length: 4

asdfGET /evilRedirect HTTP/1.1
Host: internaldomain.com

Users are only affected if all of this is true: * HTTP2MultiplexCodec or Http2FrameCodec is used * Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects * These HTTP/1.1 objects are forwarded to another remote peer.

Patches

This has been patched in 4.1.60.Final

Workarounds

The user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

References

Related change to workaround the problem: https://github.com/Netflix/zuul/pull/980

Database specific
{
    "nvd_published_at": "2021-03-09T19:15:00Z",
    "cwe_ids": [
        "CWE-444"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-09T18:47:09Z"
}
References

Affected packages

Maven / io.netty:netty-codec-http2

Package

Name
io.netty:netty-codec-http2
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty-codec-http2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.1.60.Final

Affected versions

4.*

4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final

Maven / org.jboss.netty:netty

Package

Name
org.jboss.netty:netty
View open source insights on deps.dev
Purl
pkg:maven/org.jboss.netty/netty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0.CR1
3.0.0.CR2
3.0.0.CR3
3.0.0.CR4
3.0.0.CR5
3.0.0.GA
3.0.1.GA
3.0.2.GA
3.1.0.ALPHA1
3.1.0.ALPHA2
3.1.0.ALPHA3
3.1.0.ALPHA4
3.1.0.BETA1
3.1.0.BETA2
3.1.0.BETA3
3.1.0.CR1
3.1.0.GA
3.1.1.GA
3.1.2.GA
3.1.3.GA
3.1.4.GA
3.1.5.GA
3.2.0.ALPHA1
3.2.0.ALPHA2
3.2.0.ALPHA3
3.2.0.ALPHA4
3.2.0.BETA1
3.2.0.CR1
3.2.0.Final
3.2.1.Final
3.2.2.Final
3.2.3.Final
3.2.4.Final
3.2.5.Final
3.2.6.Final
3.2.7.Final
3.2.8.Final
3.2.9.Final
3.2.10.Final

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}

Maven / io.netty:netty

Package

Name
io.netty:netty
View open source insights on deps.dev
Purl
pkg:maven/io.netty/netty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.0.Final
3.3.1.Final
3.4.0.Alpha1
3.4.0.Alpha2
3.4.0.Beta1
3.4.0.Final
3.4.1.Final
3.4.2.Final
3.4.3.Final
3.4.4.Final
3.4.5.Final
3.4.6.Final
3.5.0.Beta1
3.5.0.Final
3.5.1.Final
3.5.2.Final
3.5.3.Final
3.5.4.Final
3.5.5.Final
3.5.6.Final
3.5.7.Final
3.5.8.Final
3.5.9.Final
3.5.10.Final
3.5.11.Final
3.5.12.Final
3.5.13.Final
3.6.0.Beta1
3.6.0.Final
3.6.1.Final
3.6.2.Final
3.6.3.Final
3.6.4.Final
3.6.5.Final
3.6.6.Final
3.6.7.Final
3.6.8.Final
3.6.9.Final
3.6.10.Final
3.7.0.Final
3.7.1.Final
3.8.0.Final
3.8.1.Final
3.8.2.Final
3.8.3.Final
3.9.0.Final
3.9.1.Final
3.9.1.1.Final
3.9.2.Final
3.9.3.Final
3.9.4.Final
3.9.5.Final
3.9.6.Final
3.9.7.Final
3.9.8.Final
3.9.9.Final
3.10.0.Final
3.10.1.Final
3.10.2.Final
3.10.3.Final
3.10.4.Final
3.10.5.Final
3.10.6.Final

4.*

4.0.0.Alpha1
4.0.0.Alpha2
4.0.0.Alpha3
4.0.0.Alpha4
4.0.0.Alpha5
4.0.0.Alpha6
4.0.0.Alpha7
4.0.0.Alpha8

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}