9.4 High
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
78.1%
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn’t being abused for HTTP Response Splitting.
github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4
github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249