PT-2017-6553 · Netty+1 · Netty+1
Luca Carettoni
+2
·
Published
2017-10-18
·
Updated
2020-06-30
·
CVE-2015-2156
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Netty versions 3.9.7 and earlier, 3.10.x prior to 3.10.3.Final, 4.0.x prior to 4.0.28.Final, 4.1.x prior to 4.1.0.Beta5
Play Framework versions 2.x prior to 2.3.9
Description
The issue allows remote attackers to bypass the httpOnly flag on cookies, potentially obtaining sensitive information. This is due to improper validation of cookie name and value characters.
Recommendations
For Netty versions 3.9.7 and earlier, update to version 3.9.8.Final or later.
For Netty versions 3.10.x prior to 3.10.3.Final, update to version 3.10.3.Final or later.
For Netty versions 4.0.x prior to 4.0.28.Final, update to version 4.0.28.Final or later.
For Netty versions 4.1.x prior to 4.1.0.Beta5, update to version 4.1.0.Beta5 or later.
For Play Framework versions 2.x prior to 2.3.9, update to version 2.3.9 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netty
Play Framework