HIGH 7.5 Maven
Information Exposure in Netty
GHSA-xfv3-rrfm-f2rv · CVE-2015-2156
Published · Modified
Description
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-2156
- WEB https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
- WEB https://github.com/netty/netty/pull/3754
- WEB https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
- WEB https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=1222923
- PACKAGE https://github.com/netty/netty
- WEB https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- WEB https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
- WEB https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
- WEB https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- WEB https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
- WEB https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
- WEB http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- WEB http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- WEB http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- WEB http://www.openwall.com/lists/oss-security/2015/05/17/1
- WEB http://www.securityfocus.com/bid/74704
Ready to move
Start Securing
Free, no credit card | First findings in minutes