cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP Request Smuggling issue in neo4j java driver

I found the below security vulnerabilities in neo4j java driver . we are using

org.neo4j.driver
neo4j-java-driver
1.7.5

CVE-2020-7238 Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
CVE-2019-20444 HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CVE-2019-16869 Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

neo4j-java-driver-1.7.5.jar\META-INF/maven/io.netty/netty-transport/pom.xml (pkg:maven/io.netty/netty-transport@4.1.22.Final, cpe:2.3:a:netty:netty:4.1.22:::::::*) : CVE-2019-16869, CVE-2019-20444, CVE-2019-20445

0 REPLIES 0