CVE-2019-16869
netty - security update
7.5
HIGH
CVSS 3.1
EPSS 15.3%
Description
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
How to fix CVE-2019-16869
To remediate CVE-2019-16869, upgrade the affected package to a fixed version below.
- Debian/netty—upgrade to 1:4.1.33-2 or later
- Debian/netty—upgrade to 1:3.2.6.Final-2+deb8u1 or later
- —upgrade to 1:4.1.7-2+deb9u1 or later
- —upgrade to 3.9.9.Final-1+deb9u1 or later
- —upgrade to 4.1.42.Final or later
- —no fix listed
Is CVE-2019-16869 being exploited?
Moderate — EPSS is 15.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (6)
- from 0, < 1:4.1.33-2
- from 0, < 1:3.2.6.Final-2+deb8u1
- from 0, < 1:4.1.7-2+deb9u1
- from 0, < 3.9.9.Final-1+deb9u1
- >= 4.0.0.Alpha1, < 4.1.42.Final
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |