Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html

http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html

http://www.openwall.com/lists/oss-security/2015/05/17/1

http://www.securityfocus.com/bid/74704

https://bugzilla.redhat.com/show_bug.cgi?id=1222923

https://github.com/netty/netty/pull/3754

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Related Vulnerabilities

CVE-2023-40037 Vulnerability in maven package org.apache.nifi:nifi-dbcp-base

CVE-2019-10346 Vulnerability in maven package org.jenkins-ci.plugins:embeddable-build-status

CVE-2020-2258 Vulnerability in maven package org.jenkins-ci.plugins:cloudbees-jenkins-advisor

CVE-2021-38153 Vulnerability in maven package org.apache.kafka:kafka-clients

CVE-2019-20363 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

Severity

High

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Vendor Advisory Mailing List VDB Entry Issue Tracking