CVE-2020-7622: Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)

April 3, 2020 (updated August 3, 2021)

This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn’t being abused for HTTP Response Splitting.

References

github.com/advisories/GHSA-gv3v-92v6-m48j
github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4
github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
nvd.nist.gov/vuln/detail/CVE-2020-7622

Detect and mitigate CVE-2020-7622 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →