4.0.2

DATE	CVE	VULNERABILITY TITLE	RISK
2020-01-29	CVE-2019-20445	HTTP Request Smuggling vulnerability in multiple products HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. network low complexity netty debian fedoraproject canonical redhat apache CWE-444 critical	9.1
2020-01-29	CVE-2019-20444	HTTP Request Smuggling vulnerability in multiple products HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." network low complexity netty debian fedoraproject canonical redhat CWE-444 critical	9.1
2019-09-26	CVE-2019-16869	HTTP Request Smuggling vulnerability in multiple products Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. network low complexity netty debian canonical redhat CWE-444	7.5
2017-10-18	CVE-2015-2156	Improper Input Validation vulnerability in multiple products Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. network low complexity netty playframework lightbend CWE-20	7.5