Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html

http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html

http://www.openwall.com/lists/oss-security/2015/05/17/1

http://www.securityfocus.com/bid/74704

https://bugzilla.redhat.com/show_bug.cgi?id=1222923

https://github.com/netty/netty/pull/3754

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Related Vulnerabilities

CVE-2018-7408 Vulnerability in maven package org.webjars.bower:npm

CVE-2022-42466 Vulnerability in maven package org.apache.isis.extensions:isis-extensions-fullcalendar-applib

CVE-2020-8823 Vulnerability in npm package sockjs

CVE-2021-23555 Vulnerability in npm package vm2

CVE-2020-19698 Vulnerability in maven package org.webjars.npm:editor.md

Severity

High

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Vendor Advisory Mailing List VDB Entry Issue Tracking