{"id":"CVE-2020-7238","details":"Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.","aliases":["GHSA-ff2w-cq2g-wv5f"],"modified":"2026-04-11T12:35:00.947232Z","published":"2020-01-27T17:15:12.277Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"7.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"7.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"7.4"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"10.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"33"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0497"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0567"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0601"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0605"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0606"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0804"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0805"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0806"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0811"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"},{"type":"ADVISORY","url":"https://netty.io/news/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4885"},{"type":"EVIDENCE","url":"https://github.com/jdordonezn/CVE-2020-72381/issues/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"last_affected":"d066f163d7476a4a332f95d4dc62af751378f536"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"4.1.43"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:netty:netty:4.1.43:*:*:*:*:*:*:*"}}],"versions":["netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.2.Final","netty-4.0.3.Final","netty-4.0.4.Final","netty-4.0.5.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.11.Final","netty-4.1.12.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.5.Final","netty-4.1.6.Final","netty-4.1.7.Final","netty-4.1.8.Final","netty-4.1.9.Final"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7238.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}