Description
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Remediation
References
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
https://github.com/netty/netty/pull/3754
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
http://www.securityfocus.com/bid/74704
http://www.openwall.com/lists/oss-security/2015/05/17/1
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Related Vulnerabilities
CVE-2019-12043 Vulnerability in maven package org.webjars.bowergithub.jonschlinkert:remarkable
CVE-2015-2912 Vulnerability in maven package com.orientechnologies:orientdb-server
CVE-2018-8034 Vulnerability in maven package org.apache.tomcat:tomcat-websocket
CVE-2019-10339 Vulnerability in maven package org.jenkins-ci.plugins:jx-resources
CVE-2019-19899 Vulnerability in maven package io.pebbletemplates:pebble