Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2M3YtOTJ2Ni1tNDhq
Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
Impact
- Cross Site Scripting
- Cache Poisoning
- Page Hijacking
Patches
This was fixed in version 2.2.1.
Workarounds
If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.
References
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.
Root Cause
This roots cause back to this line in the Jooby codebase:
The DefaultHttpHeaders takes a parameter validate which, when true (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting.
Reported By
This vulnerability was reported by @JLLeitschuh (Twitter)
For more information
If you have any questions or comments about this advisory:
- Open an issue in jooby-project/jooby
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2M3YtOTJ2Ni1tNDhq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 5 years ago
Updated: almost 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00777
EPSS Percentile: 0.81163
Identifiers: GHSA-gv3v-92v6-m48j, CVE-2020-7622
References:
- https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
- https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4
- https://nvd.nist.gov/vuln/detail/CVE-2020-7622
- https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249
- https://github.com/advisories/GHSA-gv3v-92v6-m48j
Blast Radius: 22.1
Affected Packages
maven:io.jooby:jooby-netty
Dependent packages: 7Dependent repositories: 182
Downloads:
Affected Version Ranges: < 2.2.1
Fixed in: 2.2.1
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.2.0
All unaffected versions: 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.0