Org.jboss.netty:netty

This hub aggregates every CVE we track for Org.jboss.netty:netty, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 10 most recently published vulnerabilities affecting Org.jboss.netty:netty.

• CVE-2021-43797HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling6.5Dec 9, 2021
• CVE-2021-37136The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Dec...7.5Oct 19, 2021
• CVE-2021-37137The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was rece...7.5Oct 19, 2021
• CVE-2021-21409Possible request smuggling in HTTP/2 due missing validation of content-length5.9Mar 30, 2021
• CVE-2021-21295Possible request smuggling in HTTP/2 due missing validation5.9Mar 9, 2021
• CVE-2021-21290Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files6.2Feb 8, 2021
• CVE-2019-20444HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "inva...9.1Jan 29, 2020
• CVE-2019-20445HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.9.1Jan 29, 2020
• CVE-2019-16869Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.7.5Sep 26, 2019
• CVE-2015-2156Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly...7.5Oct 18, 2017