How severe is CVE-2021-21409?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2021-21409?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2021-21409 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Related Vulnerabilities

CVE-2019-19326

MEDIUM

CVSS:5.9(Medium)

Silverstripe CMS sites through 4.4.4 which have opted into HTTP Cache Headers on responses served by the framework's HTTP layer can be vulnerable to web cache poisoning. Through modifying the X-Origin...

CWE-4442019

CVE-2021-21295

MEDIUM

CVSS:5.9(Medium)

CWE-4442021

CVE-2021-23336

MEDIUM

CVSS:5.9(Medium)

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse...

CWE-4442021

CVE-2022-0552

MEDIUM

CVSS:5.9(Medium)

A flaw was found in the original fix for the netty-codec-http CVE-2021-21409, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete. The vulnerable netty-codec-ht...

CWE-4442022

CVE-2024-34535

MEDIUM

CVSS:5.9(Medium)

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.

CWE-4442024

CVE-2017-7559

MEDIUM

CVSS:6.1(Medium)

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in th...

CWE-4442017