CVE-2015-2156 — Improper Input Validation in Netty

CWE-20 — Improper Input Validation8 documents6 sources

Severity

7.5HIGHNVD

EPSS

3.3%

top 12.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netty Debian Netty Lightbend Play Framework +1 more

Timeline

PublishedOct 18

Latest updateJun 30

Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDlightbend/play_framework23 versions+22

▶NVDplayframework/play_framework15 versions+14

▶debiandebian/netty< netty 1:4.0.31-1 (bookworm)

▶Debiannetty/netty< 1:4.0.31-1+3

▶NVDnetty/netty3.9.7+32

🔴Vulnerability Details

OSV

Information Exposure in Netty↗2020-06-30

▶

GHSA

Information Exposure in Netty↗2020-06-30

▶

OSV

CVE-2015-2156: Netty before 3↗2017-10-18

▶

📋Vendor Advisories

Red Hat

netty: HttpOnly cookie bypass↗2015-05-09

▶

Debian

CVE-2015-2156: netty - Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final,...↗2015

▶

💬Community

Bugzilla

CVE-2015-2156 netty: HttpOnly cookie bypass [fedora-all]↗2015-05-19

▶

Bugzilla

CVE-2015-2156 netty: HttpOnly cookie bypass↗2015-05-19

▶