Description
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Remediation
References
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
https://github.com/netty/netty/pull/3754
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
http://www.securityfocus.com/bid/74704
http://www.openwall.com/lists/oss-security/2015/05/17/1
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Related Vulnerabilities
CVE-2022-23305 Vulnerability in maven package log4j:log4j
CVE-2023-49371 Vulnerability in maven package com.ruoyi:ruoyi
CVE-2018-3767 Vulnerability in npm package memjs
CVE-2016-10735 Vulnerability in maven package org.webjars.bowergithub.angular-ui:bootstrap
CVE-2017-16144 Vulnerability in npm package myserver.alexcthomas18