CVE-2022-41915HTTP Request/Response Splitting in Netty

CWE-113HTTP Request/Response SplittingCWE-436Interpretation Conflict8 documents6 sources
Severity
6.5MEDIUMNVD
OSV7.5
EPSS
0.6%
top 31.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NettyDebian NettyDebian Linux
Timeline
PublishedDec 13
Latest updateJul 15

Description

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator)` call, into

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

CVEListV5netty/netty4.1.86.Final4.1.86.Final+1
NVDnetty/netty4.1.834.1.86
debiandebian/netty< netty 1:4.1.48-6 (bookworm)
Debiannetty/netty< 1:4.1.48-4+deb11u1+3
Ubuntunetty/netty< 1:4.1.48-4+deb11u1build0.22.04.1+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
netty vulnerabilities2023-04-28
OSV
CVE-2022-41915: Netty project is an event-driven asynchronous network application framework2022-12-13
OSV
Netty vulnerable to HTTP Response splitting from assigning header value iterator2022-12-12
GHSA
Netty vulnerable to HTTP Response splitting from assigning header value iterator2022-12-12

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Applications Risk Matrix: Rest Services Manager (Netty) — CVE-2022-419152023-07-15
Ubuntu
Netty vulnerabilities2023-04-28
Debian
CVE-2022-41915: netty - Netty project is an event-driven asynchronous network application framework. Sta...2022