Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-HH82-3PMQ-7FRP
HistoryDec 12, 2022 - 9:25 p.m.

Netty vulnerable to HTTP Response splitting from assigning header value iterator

2022-12-1221:25:44
CWE-113
CWE-436
GitHub Advisory Database
github.com
24
netty
http response splitting
http header validation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.002

Percentile

61.0%

JSON

Impact

When calling DefaultHttpHeaders.set with an iterator of values (as opposed to a single given value), header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting.

Patches

The necessary validation was added in Netty 4.1.86.Final.

Workarounds

Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.

References

HTTP Response Splitting
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers

For more information

If you have any questions or comments about this advisory:

Affected configurations

Vulners
Node
io.nettynetty-codec-httpRange4.1.83.Finalโ€“4.1.86.Final
VendorProductVersionCPE
io.nettynetty-codec-http*cpe:2.3:a:io.netty:netty-codec-http:*:*:*:*:*:*:*:*

Related

ibm 18
cve 1
wolfi 1
cvelist 1
ubuntucve 1
cgr 1
veracode 1
nvd 1
prion 1
debiancve 1
osv 5
openvas 4
nessus 7
redos 1
debian 2
ubuntu 1
oracle 5
ibm
ibm
Security Bulletin: Netty is vulnerable to CVE-2022-41915 used in IBM Maximo Application Suite - Monitor Component
2023-07-24 19:55:06
Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to HTTP response splitting due to Netty (CVE-2022-41915)
2023-03-30 19:17:10
Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Netty (CVE-2022-41915)
2023-03-29 03:05:54
cve
cve
CVE-2022-41915
2022-12-13 07:15:13
wolfi
wolfi
CVE-2022-41915 vulnerabilities
2024-05-29 03:07:31
cvelist
cvelist
CVE-2022-41915
2022-12-13 00:00:00
ubuntucve
ubuntucve
CVE-2022-41915
2022-12-13 00:00:00
cgr
cgr
CVE-2022-41915 vulnerabilities
2024-05-19 03:07:16
veracode
veracode
HTTP Response Splitting
2022-12-13 02:14:59
nvd
nvd
CVE-2022-41915
2022-12-13 07:15:13
prion
prion
Input validation
2022-12-13 07:15:00
debiancve
debiancve
CVE-2022-41915
2022-12-13 07:15:13
osv
osv
Netty vulnerable to HTTP Response splitting from assigning header value iterator
2022-12-12 21:25:44
CVE-2022-41915
2022-12-13 07:15:13
netty - security update
2023-01-11 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2023:2096-1)
2023-05-09 00:00:00
Debian: Security Advisory (DSA-5316-1)
2023-01-12 00:00:00
Debian: Security Advisory (DLA-3268-1)
2023-01-12 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2023:2096-1)
2023-05-11 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2023:2096-2)
2023-06-22 00:00:00
Debian DSA-5316-1 : netty - security update
2023-01-12 00:00:00
redos
redos
ROS-20240514-04
2024-05-14 00:00:00
debian
debian
[SECURITY] [DLA 3268-1] netty security update
2023-01-11 22:57:14
[SECURITY] [DSA 5316-1] netty security update
2023-01-11 22:38:12
ubuntu
ubuntu
Netty vulnerabilities
2023-04-28 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2024
2024-07-16 00:00:00
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.002

Percentile

61.0%

JSON
Related for GHSA-HH82-3PMQ-7FRP
ibm18cve1wolfi1cvelist1ubuntucve1cgr1veracode1nvd1prion1debiancve1osv5openvas4nessus7redos1debian2ubuntu1oracle5