Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html

http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html

http://www.openwall.com/lists/oss-security/2015/05/17/1

http://www.securityfocus.com/bid/74704

https://bugzilla.redhat.com/show_bug.cgi?id=1222923

https://github.com/netty/netty/pull/3754

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Related Vulnerabilities

CVE-2023-26134 Vulnerability in npm package git-commit-info

CVE-2017-7685 Vulnerability in maven package org.apache.openmeetings:openmeetings-web

CVE-2021-32859 Vulnerability in maven package org.webjars.npm:github-com-baremetrics-calendar

CVE-2022-28150 Vulnerability in maven package com.synopsys.jenkinsci:ownership

CVE-2020-7762 Vulnerability in npm package jsreport-chrome-pdf

Severity

High

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Vendor Advisory Mailing List VDB Entry Issue Tracking