You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Brandon Williams (Jira)" <ji...@apache.org> on 2021/05/26 15:07:00 UTC
[jira] [Updated] (CASSANDRA-16699) Security vulnerability
CVE-2020-7238 for Netty
[ https://issues.apache.org/jira/browse/CASSANDRA-16699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brandon Williams updated CASSANDRA-16699:
-----------------------------------------
Resolution: Not A Problem
Status: Resolved (was: Triage Needed)
Cassandra does not use an HTTP transport.
> Security vulnerability CVE-2020-7238 for Netty
> -----------------------------------------------
>
> Key: CASSANDRA-16699
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16699
> Project: Cassandra
> Issue Type: Bug
> Reporter: Ethern Su
> Priority: Normal
>
> *Cassandra Version: 3.11.10*
> *Description :*
> *Severity:* NVD CVSS:3.1 7.5 High
> *Affecting Package*: netty-all 4.0.44.Final
> *Source:* National Vulnerability Database
> *Explanation from NVD:* Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
> *Recommendation:* Upgrade package io.netty#netty-all to version 4.1.44.Final or above.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org