Description
All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.
Remediation
References
https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm
https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342
https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1
Related Vulnerabilities
CVE-2020-24807 Vulnerability in npm package socket.io-file
CVE-2023-34603 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-parent
CVE-2023-49293 Vulnerability in npm package vite
CVE-2021-21350 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2022-23621 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore