CVE-2015-2156: Improper Input Validation
(updated )
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
References
- lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- www.openwall.com/lists/oss-security/2015/05/17/1
- www.securityfocus.com/bid/74704
- bugzilla.redhat.com/show_bug.cgi?id=1222923
- github.com/advisories/GHSA-xfv3-rrfm-f2rv
- github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
- github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
- github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
- github.com/netty/netty/pull/3754
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
- lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2015-2156
- snyk.io/vuln/SNYK-JAVA-IONETTY-73571
- www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Detect and mitigate CVE-2015-2156 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →