Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-43669

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-18 Nov, 2021 | 15:05
Updated At-04 Aug, 2024 | 04:03
Rejected At-
Credits

A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. It can easily break down as many orderers as the attacker wants. This bug can be leveraged by constructing a message whose header is invalid to the interface Order. This bug has been admitted and fixed by the developers of Fabric.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:18 Nov, 2021 | 15:05
Updated At:04 Aug, 2024 | 04:03
Rejected At:
▼CVE Numbering Authority (CNA)

A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. It can easily break down as many orderers as the attacker wants. This bug can be leveraged by constructing a message whose header is invalid to the interface Order. This bug has been admitted and fixed by the developers of Fabric.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://jira.hyperledger.org/browse/FAB-18528
x_refsource_MISC
https://github.com/hyperledger/fabric/pull/2828
x_refsource_MISC
Hyperlink: https://jira.hyperledger.org/browse/FAB-18528
Resource:
x_refsource_MISC
Hyperlink: https://github.com/hyperledger/fabric/pull/2828
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://jira.hyperledger.org/browse/FAB-18528
x_refsource_MISC
x_transferred
https://github.com/hyperledger/fabric/pull/2828
x_refsource_MISC
x_transferred
Hyperlink: https://jira.hyperledger.org/browse/FAB-18528
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/hyperledger/fabric/pull/2828
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:18 Nov, 2021 | 16:15
Updated At:23 Nov, 2021 | 17:12

A vulnerability has been detected in HyperLedger Fabric v1.4.0, v2.0.0, v2.0.1, v2.3.0. It can easily break down as many orderers as the attacker wants. This bug can be leveraged by constructing a message whose header is invalid to the interface Order. This bug has been admitted and fixed by the developers of Fabric.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CPE Matches
The Linux Foundation
linuxfoundation
>>fabric>>1.4.0
cpe:2.3:a:linuxfoundation:fabric:1.4.0:*:*:*:*:*:*:*
The Linux Foundation
linuxfoundation
>>fabric>>2.0.0
cpe:2.3:a:linuxfoundation:fabric:2.0.0:*:*:*:*:*:*:*
The Linux Foundation
linuxfoundation
>>fabric>>2.0.1
cpe:2.3:a:linuxfoundation:fabric:2.0.1:*:*:*:*:*:*:*
The Linux Foundation
linuxfoundation
>>fabric>>2.3.0
cpe:2.3:a:linuxfoundation:fabric:2.3.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-444Primarynvd@nist.gov
CWE ID: CWE-444
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/hyperledger/fabric/pull/2828cve@mitre.org
Patch
Third Party Advisory
https://jira.hyperledger.org/browse/FAB-18528cve@mitre.org
Vendor Advisory
Hyperlink: https://github.com/hyperledger/fabric/pull/2828
Source: cve@mitre.org
Resource:
Patch
Third Party Advisory
Hyperlink: https://jira.hyperledger.org/browse/FAB-18528
Source: cve@mitre.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

67Records found
CVE-2020-7764
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.9||MEDIUM
EPSS-0.97% / 75.75%
||
7 Day CHG~0.00%
Published-08 Nov, 2020 | 15:50
Updated-17 Sep, 2024 | 03:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web Cache Poisoning

This affects the package find-my-way before 2.2.5, from 3.0.0 and before 3.0.5. It accepts the Accept-Version' header by default, and if versioned routes are not being used, this could lead to a denial of service. Accept-Version can be used as an unkeyed header in a cache poisoning attack.

Action-Not Available
Vendor-find-my-way_projectn/a
Product-find-my-wayfind-my-way
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2020-5401
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-5.3||MEDIUM
EPSS-0.45% / 62.65%
||
7 Day CHG~0.00%
Published-27 Feb, 2020 | 19:30
Updated-16 Sep, 2024 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cloud Foundry GoRouter is vulnerable to cache poisoning

Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app.

Action-Not Available
Vendor-Cloud Foundry
Product-routing_releaseRouting
CWE ID-CWE-393
Return of Wrong Status Code
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-41442
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.32% / 84.17%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 19:04
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-x1860_firmwaredir-x1860n/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-41436
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.34% / 89.69%
||
7 Day CHG~0.00%
Published-19 Nov, 2021 | 11:14
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet.

Action-Not Available
Vendor-n/aASUS (ASUSTeK Computer Inc.)
Product-rt-ax82u_gundam_editionrt-ax86s_firmwarert-ax3000gt-ax11000_firmwarert-ax56u_firmwarert-ax92u_firmwaretuf-ax5400rt-ax82u_firmwarert-ax88u_firmwarert-ax68urt-ax56u_v2rt-ax88urt-ax82u_gundam_edition_firmwarert-ax92utuf_gaming_ax3000_firmwarert-ax86utuf_gaming_ax3000zenwifi_ax_\(xt8\)rt-ax68u_firmwarert-ax55_firmwarert-ax56urt-ax86u_zaku_ii_edition_firmwarert-ax86u_zaku_ii_editionzenwifi_xd6rt-ax86u_firmwaretuf-ax5400_firmwarert-ax58urt-ax55rt-ax56u_v2_firmwarert-ax3000_firmwaregt-ax11000rt-ax58u_firmwarert-ax82uzenwifi_xd6_firmwarert-ax86szenwifi_ax_\(xt8\)_firmwaren/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-43610
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.38% / 58.35%
||
7 Day CHG~0.00%
Published-12 Nov, 2021 | 21:53
Updated-04 Aug, 2024 | 04:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Belledonne Belle-sip before 5.0.20 can crash applications such as Linphone via an invalid From header (request URI without a parameter) in an unauthenticated SIP message, a different issue than CVE-2021-33056.

Action-Not Available
Vendor-linphonen/a
Product-belle-sipn/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-41451
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-6.83% / 90.96%
||
7 Day CHG~0.00%
Published-17 Dec, 2021 | 14:32
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a misconfigured HTTP/0.9 response, potentially leading into a cache poisoning attack.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-archer_ax10archer_ax10_firmwaren/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-41450
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.96% / 90.31%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 15:35
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-archer_ax10_v1archer_ax10_v1_firmwaren/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-37253
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.12% / 86.33%
||
7 Day CHG~0.00%
Published-05 Dec, 2021 | 20:28
Updated-04 Aug, 2024 | 02:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application

Action-Not Available
Vendor-n/aM-Files Oy
Product-m-files_webn/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2019-19223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.08% / 88.11%
||
7 Day CHG~0.00%
Published-04 Mar, 2020 | 18:04
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dsl-2680_firmwaredsl-2680n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2020-11993
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-36.97% / 97.03%
||
7 Day CHG~0.00%
Published-07 Aug, 2020 | 15:32
Updated-01 May, 2025 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Action-Not Available
Vendor-n/aFedora ProjectCanonical Ltd.The Apache Software FoundationOracle CorporationopenSUSEDebian GNU/LinuxNetApp, Inc.
Product-ubuntu_linuxcommunications_session_route_managerdebian_linuxfedoracommunications_element_managercommunications_session_report_managerhyperion_infrastructure_technologyhttp_serverleapzfs_storage_appliance_kitenterprise_manager_ops_centerinstantis_enterprisetrackclustered_data_ontapApache HTTP Server
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2022-41721
Matching Score-4
Assigner-Go Project
ShareView Details
Matching Score-4
Assigner-Go Project
CVSS Score-7.5||HIGH
EPSS-0.07% / 22.92%
||
7 Day CHG~0.00%
Published-13 Jan, 2023 | 22:46
Updated-04 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Request smuggling due to improper request handling in golang.org/x/net/http2/h2c

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Action-Not Available
Vendor-golang.org/x/netGo
Product-h2cgolang.org/x/net/http2/h2c
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-33056
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.41% / 60.81%
||
7 Day CHG~0.00%
Published-12 Aug, 2021 | 20:54
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Belledonne Belle-sip before 4.5.20, as used in Linphone and other products, can crash via an invalid From header in a SIP message.

Action-Not Available
Vendor-linphonen/a
Product-belle-sipn/a
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2019-1020012
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
ShareView Details
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
CVSS Score-7.5||HIGH
EPSS-0.33% / 55.64%
||
7 Day CHG~0.00%
Published-29 Jul, 2019 | 12:16
Updated-05 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

parse-server before 3.4.1 allows DoS after any POST to a volatile class.

Action-Not Available
Vendor-parseplatformParse
Product-parse-serverparse-server
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2024-44775
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.20% / 41.81%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 00:00
Updated-16 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in kmqtt v0.2.7 allows attackers to cause a Denial of Service(DoS) via a crafted request.

Action-Not Available
Vendor-n/akmqtt
Product-n/akmqtt
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2024-22279
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-5.9||MEDIUM
EPSS-0.53% / 66.39%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 19:47
Updated-01 Aug, 2024 | 22:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GoRouter Denial of Service Attack

Improper handling of requests in Routing Release > v0.273.0 and <= v0.297.0 allows an unauthenticated attacker to degrade the service availability of the Cloud Foundry deployment if performed at scale.

Action-Not Available
Vendor-Cloud Foundry
Product-routing_releasecf-deploymentRouting Release
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2024-21647
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-1.79% / 82.00%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 13:45
Updated-03 Jun, 2025 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP Request/Response Smuggling in puma

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

Action-Not Available
Vendor-Puma
Product-pumapuma
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2020-5129
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.5||HIGH
EPSS-0.51% / 65.50%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 03:35
Updated-04 Aug, 2024 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SonicWall SMA1000 HTTP Extraweb server allows an unauthenticated remote attacker to cause HTTP server crash which leads to Denial of Service. This vulnerability affected SMA1000 Version 12.1.0-06411 and earlier.

Action-Not Available
Vendor-SonicWall Inc.
Product-sma1000sma1000_firmwareSMA1000
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
  • Previous
  • 1
  • 2
  • Next
Details not found