Description

All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.

Remediation

References

https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1

https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm

https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342

Related Vulnerabilities

CVE-2023-29205 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-xwiki

CVE-2020-36187 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-28490 Vulnerability in npm package async-git

CVE-2016-10735 Vulnerability in maven package org.webjars.bowergithub.jasny:bootstrap

CVE-2023-38700 Vulnerability in npm package matrix-appservice-irc

Severity

Critical

Classification

CWE-444 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Exploit Third Party Advisory