CVE-2019-16771

Name of the Vulnerable Software and Affected Versions Armeria versions 0.85.0 through 0.96.0

Description The issue allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response, potentially leading to cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking. This is due to the usage of Netty without the HTTP header validation. Additionally, there are multiple timing attack vulnerabilities leading to the recovery of secrets based on the use of non-constant time compare function in string comparison methods for authentication validation.

Recommendations For versions 0.85.0 through 0.96.0, update to version 0.97.0 to patch the HTTP response splitting vulnerability. To address the timing attack vulnerabilities, consider removing the equals method or use MessageDigest.isEqual to compare credentials instead. As a temporary workaround, users can modify and implement timing attack preventions by securely comparing credentials after calling methods to directly return the input, such as Object.accessToken(), Object.username(), and Object.password().