Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html

http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html

http://www.openwall.com/lists/oss-security/2015/05/17/1

http://www.securityfocus.com/bid/74704

https://bugzilla.redhat.com/show_bug.cgi?id=1222923

https://github.com/netty/netty/pull/3754

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Related Vulnerabilities

CVE-2010-5312 Vulnerability in maven package org.fujion.webjars:jquery-ui

CVE-2020-10968 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-36364 Vulnerability in maven package org.apache.calcite.avatica:avatica-core

CVE-2022-36083 Vulnerability in npm package jose-node-esm-runtime

CVE-2017-11554 Vulnerability in npm package node-sass

Severity

High

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Vendor Advisory Mailing List VDB Entry Issue Tracking