vulnerability
Red Hat JBossEAP: HTTP Request/Response Smuggling (CVE-2019-20444)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:P/I:P/A:N) | 2020-01-29 | 2024-09-19 | 2024-12-20 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
2020-01-29
Added
2024-09-19
Modified
2024-12-20
Description
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.". A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CVE-2019-20444
- https://attackerkb.com/topics/CVE-2019-20444
- URL-https://access.redhat.com/security/cve/CVE-2019-20444
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=1798524
- URL-https://github.com/elastic/elasticsearch/issues/49396
- URL-https://access.redhat.com/errata/RHSA-2020:0605
- URL-https://access.redhat.com/errata/RHSA-2020:0606
- URL-https://access.redhat.com/errata/RHSA-2020:0804
- URL-https://access.redhat.com/errata/RHSA-2020:0805
- URL-https://access.redhat.com/errata/RHSA-2020:0806
- URL-https://access.redhat.com/errata/RHSA-2020:0811
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.