7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
78.1%
This was fixed in version 2.2.1
.
If you are unable to update, ensure that user supplied data isn’t able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.
I’ve been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.
This roots cause back to this line in the Jooby codebase:
The DefaultHttpHeaders
takes a parameter validate
which, when true
(as it is for the no-arg constructor) validates that the header isn’t being abused to do HTTP Response Splitting.
This vulnerability was reported by @JLLeitschuh (Twitter)
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
io.jooby:jooby-netty | lt | 2.2.1 |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
78.1%