Description
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Remediation
References
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
http://www.openwall.com/lists/oss-security/2015/05/17/1
http://www.securityfocus.com/bid/74704
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
https://github.com/netty/netty/pull/3754
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Related Vulnerabilities
CVE-2022-39353 Vulnerability in npm package @xmldom/xmldom
CVE-2015-8851 Vulnerability in maven package org.webjars.npm:node-uuid
CVE-2022-23708 Vulnerability in maven package org.elasticsearch:elasticsearch
CVE-2023-25765 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2019-18213 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.web