{"id":"CVE-2019-20445","details":"HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.","aliases":["GHSA-p2v9-g2qv-p635"],"modified":"2026-04-11T12:20:10.430617Z","published":"2020-01-29T21:15:11.110Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2"}],"cpe":"cpe:2.3:a:redhat:jboss_amq_clients:2:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.2"}],"cpe":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.3"}],"cpe":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"18.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"10.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"33"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0497"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0567"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0601"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0605"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0606"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0804"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0805"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0806"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0811"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4532-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4885"},{"type":"FIX","url":"https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"},{"type":"FIX","url":"https://github.com/netty/netty/issues/9861"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/spark","events":[{"introduced":"0"},{"last_affected":"14211a19f53bd0f413396582c8970e3e0a74281d"},{"last_affected":"163fbd2528a18bf062bddf7b7753631a12a369b5"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.4.7"},{"last_affected":"2.4.8"}],"cpe":["cpe:2.3:a:apache:spark:2.4.7:*:*:*:*:*:*:*","cpe:2.3:a:apache:spark:2.4.8:*:*:*:*:*:*:*"]}}],"versions":["0.3-scala-2.8","alpha-0.2","v0.6.0","v0.7.0","v2.4.0","v2.4.0-rc1","v2.4.0-rc2","v2.4.0-rc3","v2.4.0-rc4","v2.4.0-rc5","v2.4.1","v2.4.1-rc1","v2.4.1-rc2","v2.4.1-rc3","v2.4.1-rc4","v2.4.1-rc5","v2.4.1-rc7","v2.4.1-rc8","v2.4.1-rc9","v2.4.2","v2.4.2-rc1","v2.4.3","v2.4.3-rc1","v2.4.4","v2.4.4-rc1","v2.4.4-rc2","v2.4.4-rc3","v2.4.5","v2.4.5-rc1","v2.4.5-rc2","v2.4.6","v2.4.6-rc1","v2.4.6-rc2","v2.4.6-rc3","v2.4.6-rc4","v2.4.6-rc5","v2.4.6-rc6","v2.4.6-rc7","v2.4.6-rc8","v2.4.7","v2.4.7-rc1","v2.4.7-rc2","v2.4.7-rc3","v2.4.8","v2.4.8-rc1","v2.4.8-rc2","v2.4.8-rc3","v2.4.8-rc4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20445.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"5ddf45a2d51bf88e94ef5a60e0abdc492b008ce7"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"4.1.44"}],"cpe":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"}}],"versions":["netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.2.Final","netty-4.0.3.Final","netty-4.0.4.Final","netty-4.0.5.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.11.Final","netty-4.1.12.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.5.Final","netty-4.1.6.Final","netty-4.1.7.Final","netty-4.1.8.Final","netty-4.1.9.Final"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20445.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}