Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmdjMtcnJmbS1mMnJ2
Information Exposure in Netty
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Permalink: https://github.com/advisories/GHSA-xfv3-rrfm-f2rvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmdjMtcnJmbS1mMnJ2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 4 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-xfv3-rrfm-f2rv, CVE-2015-2156
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-2156
- https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
- https://github.com/netty/netty/pull/3754
- https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
- https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
- https://bugzilla.redhat.com/show_bug.cgi?id=1222923
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
- https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- http://www.openwall.com/lists/oss-security/2015/05/17/1
- http://www.securityfocus.com/bid/74704
- https://github.com/advisories/GHSA-xfv3-rrfm-f2rv
Blast Radius: 31.2
Affected Packages
maven:io.netty:netty
Dependent packages: 1,133Dependent repositories: 14,650
Downloads:
Affected Version Ranges: < 3.9.8.Final, >= 3.10.0, < 3.10.3.Final
Fixed in: 3.9.8.Final, 3.10.3.Final
All affected versions:
All unaffected versions:
maven:org.jboss.netty:netty
Dependent packages: 324Dependent repositories: 1,820
Downloads:
Affected Version Ranges: >= 3.10.0, < 3.10.3.Final, < 3.9.8.Final
Fixed in: 3.10.3.Final, 3.9.8.Final
All affected versions:
All unaffected versions:
maven:io.netty:netty-parent
Dependent packages: 3Dependent repositories: 8
Downloads:
Affected Version Ranges: >= 4.0.0, < 4.0.28.Final
Fixed in: 4.0.28.Final
All affected versions: 4.0.2-0.Final, 4.0.2-1.Final, 4.0.2-2.Final, 4.0.2-3.Final, 4.0.2-4.Final, 4.0.2-5.Final, 4.0.2-6.Final, 4.0.2-7.Final
All unaffected versions: