GHSA-xfv3-rrfm-f2rv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xfv3-rrfm-f2rv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xfv3-rrfm-f2rv
- Aliases
- Published
- 2020-06-30T21:01:21Z
- Modified
- 2024-02-16T08:04:08.954640Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Information Exposure in Netty
- Details
-
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-30T20:59:55Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-2156
- https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
- https://github.com/netty/netty/pull/3754
- https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
- https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
- https://bugzilla.redhat.com/show_bug.cgi?id=1222923
- https://github.com/netty/netty
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
- https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- http://www.openwall.com/lists/oss-security/2015/05/17/1
- http://www.securityfocus.com/bid/74704
Affected packages
Maven / io.netty:netty-parent
Package
- Name
- io.netty:netty-parent
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty-parent
Affected versions
4.*
4.0.0.Final
4.0.1.Final
4.0.2.Final
4.0.3.Final
4.0.4.Final
4.0.5.Final
4.0.6.Final
4.0.7.Final
4.0.8.Final
4.0.9.Final
4.0.10.Final
4.0.11.Final
4.0.12.Final
4.0.13.Final
4.0.14.Beta1
4.0.14.Final
4.0.15.Final
4.0.16.Final
4.0.17.Final
4.0.18.Final
4.0.19.Final
4.0.20.Final
4.0.21.Final
4.0.22.Final
4.0.23.Final
4.0.24.Final
4.0.25.Final
4.0.26.Final
4.0.27.Final
Maven / org.jboss.netty:netty
Package
- Name
- org.jboss.netty:netty
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jboss.netty/netty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.9.8.Final
Affected versions
3.*
3.0.0.CR1
3.0.0.CR2
3.0.0.CR3
3.0.0.CR4
3.0.0.CR5
3.0.0.GA
3.0.1.GA
3.0.2.GA
3.1.0.ALPHA1
3.1.0.ALPHA2
3.1.0.ALPHA3
3.1.0.ALPHA4
3.1.0.BETA1
3.1.0.BETA2
3.1.0.BETA3
3.1.0.CR1
3.1.0.GA
3.1.1.GA
3.1.2.GA
3.1.3.GA
3.1.4.GA
3.1.5.GA
3.2.0.ALPHA1
3.2.0.ALPHA2
3.2.0.ALPHA3
3.2.0.ALPHA4
3.2.0.BETA1
3.2.0.CR1
3.2.0.Final
3.2.1.Final
3.2.2.Final
3.2.3.Final
3.2.4.Final
3.2.5.Final
3.2.6.Final
3.2.7.Final
3.2.8.Final
3.2.9.Final
3.2.10.Final
Maven / org.jboss.netty:netty
Package
- Name
- org.jboss.netty:netty
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jboss.netty/netty
Maven / io.netty:netty
Package
- Name
- io.netty:netty
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty
Maven / io.netty:netty
Package
- Name
- io.netty:netty
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.9.8.Final
Affected versions
3.*
3.3.0.Final
3.3.1.Final
3.4.0.Alpha1
3.4.0.Alpha2
3.4.0.Beta1
3.4.0.Final
3.4.1.Final
3.4.2.Final
3.4.3.Final
3.4.4.Final
3.4.5.Final
3.4.6.Final
3.5.0.Beta1
3.5.0.Final
3.5.1.Final
3.5.2.Final
3.5.3.Final
3.5.4.Final
3.5.5.Final
3.5.6.Final
3.5.7.Final
3.5.8.Final
3.5.9.Final
3.5.10.Final
3.5.11.Final
3.5.12.Final
3.5.13.Final
3.6.0.Beta1
3.6.0.Final
3.6.1.Final
3.6.2.Final
3.6.3.Final
3.6.4.Final
3.6.5.Final
3.6.6.Final
3.6.7.Final
3.6.8.Final
3.6.9.Final
3.6.10.Final
3.7.0.Final
3.7.1.Final
3.8.0.Final
3.8.1.Final
3.8.2.Final
3.8.3.Final
3.9.0.Final
3.9.1.Final
3.9.1.1.Final
3.9.2.Final
3.9.3.Final
3.9.4.Final
3.9.5.Final
3.9.6.Final
3.9.7.Final