CVE-2021-21409

📊 5.9 MEDIUM⚡ 5.0%🎯 0 exploits

📅 Published Mar 30, 2021

📋 Status: Modified

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CVSS v3.1 • [email protected]

🎯 Affected Products & Systems

28 product configurations affected

Filter by type:

Type	Vendor	Product	Version Range	Status	CPE String
📱App	netty	netty	< 4.1.61	Vulnerable	cpe:2.3:a:netty:netty::::::::
💻OS	debian	debian linux	10.0	Vulnerable	cpe:2.3:o:debian:debian_linux:10.0:::::::*
📱App	netapp	oncommand api services	All versions	Vulnerable	cpe:2.3:a:netapp:oncommand_api_services:-:::::::*
📱App	netapp	oncommand workflow automation	All versions	Vulnerable	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
📱App	oracle	banking corporate lending process management	14.2.0	Vulnerable	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:::::::*
📱App	oracle	banking corporate lending process management	14.3.0	Vulnerable	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:::::::*
📱App	oracle	banking corporate lending process management	14.5.0	Vulnerable	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:::::::*
📱App	oracle	banking credit facilities process management	14.2.0	Vulnerable	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:::::::*
📱App	oracle	banking credit facilities process management	14.3.0	Vulnerable	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:::::::*
📱App	oracle	banking credit facilities process management	14.5.0	Vulnerable	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:::::::*
📱App	oracle	banking trade finance process management	14.2.0	Vulnerable	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:::::::*
📱App	oracle	banking trade finance process management	14.3.0	Vulnerable	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:::::::*
📱App	oracle	banking trade finance process management	14.5.0	Vulnerable	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:::::::*
📱App	oracle	coherence	12.2.1.4.0	Vulnerable	cpe:2.3:a:oracle:coherence:12.2.1.4.0:::::::*
📱App	oracle	coherence	14.1.1.0.0	Vulnerable	cpe:2.3:a:oracle:coherence:14.1.1.0.0:::::::*
📱App	oracle	communications brm - elastic charging engine	12.0.0.3	Vulnerable	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:::::::*
📱App	oracle	communications cloud native core console	1.7.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:::::::*
📱App	oracle	communications cloud native core policy	1.14.0	Vulnerable	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
📱App	oracle	communications design studio	7.4.2.0.0	Vulnerable	cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:::::::*
📱App	oracle	communications messaging server	8.1	Vulnerable	cpe:2.3:a:oracle:communications_messaging_server:8.1:::::::*
📱App	oracle	helidon	1.4.10	Vulnerable	cpe:2.3:a:oracle:helidon:1.4.10:::::::*
📱App	oracle	helidon	2.4.0	Vulnerable	cpe:2.3:a:oracle:helidon:2.4.0:::::::*
📱App	oracle	jd edwards enterpriseone tools	< 9.2.6.3	Vulnerable	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
📱App	oracle	nosql database	< 21.1.12	Vulnerable	cpe:2.3:a:oracle:nosql_database::::::::
📱App	oracle	primavera gateway	≥ 17.12.0 ∧ ≤ 17.12.11	Vulnerable	cpe:2.3:a:oracle:primavera_gateway::::::::
📱App	oracle	primavera gateway	≥ 18.8.0 ∧ ≤ 18.8.11	Vulnerable	cpe:2.3:a:oracle:primavera_gateway::::::::
📱App	oracle	primavera gateway	≥ 19.12.0 ∧ ≤ 19.12.10	Vulnerable	cpe:2.3:a:oracle:primavera_gateway::::::::
📱App	quarkus	quarkus	≤ 1.13.7	Vulnerable	cpe:2.3:a:quarkus:quarkus::::::::

📱

netty / netty

Application

Vulnerable

Version: < 4.1.61

CPE:

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

💻

debian / debian linux

Operating System

Vulnerable

Version: 10.0

CPE:

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

📱

netapp / oncommand api services

Application

Vulnerable

Version: All versions

CPE:

cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*

📱

netapp / oncommand workflow automation

Application

Vulnerable

Version: All versions

CPE:

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

📱

oracle / banking corporate lending process management

Application

Vulnerable

Version: 14.2.0

CPE:

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*

📱

oracle / banking corporate lending process management

Application

Vulnerable

Version: 14.3.0

CPE:

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*

📱

oracle / banking corporate lending process management

Application

Vulnerable

Version: 14.5.0

CPE:

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*

📱

oracle / banking credit facilities process management

Application

Vulnerable

Version: 14.2.0

CPE:

cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*

📱

oracle / banking credit facilities process management

Application

Vulnerable

Version: 14.3.0

CPE:

cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*

📱

oracle / banking credit facilities process management

Application

Vulnerable

Version: 14.5.0

CPE:

cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*

📱

oracle / banking trade finance process management

Application

Vulnerable

Version: 14.2.0

CPE:

cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*

📱

oracle / banking trade finance process management

Application

Vulnerable

Version: 14.3.0

CPE:

cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*

📱

oracle / banking trade finance process management

Application

Vulnerable

Version: 14.5.0

CPE:

cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*

📱

oracle / coherence

Application

Vulnerable

Version: 12.2.1.4.0

CPE:

cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*

📱

oracle / coherence

Application

Vulnerable

Version: 14.1.1.0.0

CPE:

cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*

📱

oracle / communications brm - elastic charging engine

Application

Vulnerable

Version: 12.0.0.3

CPE:

cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*

📱

oracle / communications cloud native core console

Application

Vulnerable

Version: 1.7.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*

📱

oracle / communications cloud native core policy

Application

Vulnerable

Version: 1.14.0

CPE:

cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*

📱

oracle / communications design studio

Application

Vulnerable

Version: 7.4.2.0.0

CPE:

cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*

📱

oracle / communications messaging server

Application

Vulnerable

Version: 8.1

CPE:

cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*

📱

oracle / helidon

Application

Vulnerable

Version: 1.4.10

CPE:

cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*

📱

oracle / helidon

Application

Vulnerable

Version: 2.4.0

CPE:

cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*

📱

oracle / jd edwards enterpriseone tools

Application

Vulnerable

Version: < 9.2.6.3

CPE:

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

📱

oracle / nosql database

Application

Vulnerable

Version: < 21.1.12

CPE:

cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*

📱

oracle / primavera gateway

Application

Vulnerable

Version: ≥ 17.12.0 ∧ ≤ 17.12.11

CPE:

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*

📱

oracle / primavera gateway

Application

Vulnerable

Version: ≥ 18.8.0 ∧ ≤ 18.8.11

CPE:

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*

📱

oracle / primavera gateway

Application

Vulnerable

Version: ≥ 19.12.0 ∧ ≤ 19.12.10

CPE:

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*

📱

quarkus / quarkus

Application

Vulnerable

Version: ≤ 1.13.7

CPE:

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

28 products•scroll for more

Metrics

5.9 MEDIUMCVSS v3.1[email protected]

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector:

NETWORK

Complexity:

HIGH

Privileges:

NONE

User Interaction:

NONE

Confidentiality:

NONE

Integrity:

HIGH

Availability:

NONE

Scope:

UNCHANGED

🔍 Technical Details

Analysis Status

Modified

CVSS Details

5.9 (MEDIUM)v3.1

Source: [email protected]

EPSS Details

5.0% (Minimal)89.2th percentile

Last updated: Nov 1, 2025

Exploitation probability within 30 days

Published Date

Mar 30, 2021 (4 years ago)

Last Modified

Nov 21, 2024 (11 months ago)

Security Weaknesses2

CWE-444

References60

NVDofficialpatch+57