Rafalambrozewicz

**Name of the Vulnerable Software and Affected Versions** Netty versions 4.1.83.Final through 4.1.85.Final Netty versions prior to 4.1.86.Final **Description** The Netty project is an event-driven asynchronous network application framework. When calling `DefaultHttpHeaders.set` with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue can be exploited by a remote attacker to disclose and modify protected information. **Recommendations** For Netty versions 4.1.83.Final through 4.1.85.Final, update to version 4.1.86.Final to resolve the issue. For versions prior to 4.1.86.Final, integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call into a `remove()` call, and call `add()` in a loop over the iterator of values.