CVE-2020-7622

Name of the Vulnerable Software and Affected Versions io.jooby:jooby-netty versions 1.6.9 and earlier, versions 2.0.0 through 2.2.0

Description This issue affects the DefaultHttpHeaders setting, which is set to false, allowing potential abuse for HTTP Response Splitting. The vulnerability can lead to Cross Site Scripting, Cache Poisoning, and Page Hijacking. It is caused by the improper neutralization of CRLF sequences in HTTP headers. The root cause is linked to a specific line in the Jooby codebase where the DefaultHttpHeaders takes a parameter validate which, when set to true, validates that the header isn't being abused for HTTP Response Splitting.

Recommendations For versions 1.6.9 and earlier, update to version 2.2.1 or later. For versions 2.0.0 through 2.2.0, update to version 2.2.1. As a temporary workaround, ensure that user-supplied data isn't able to flow to HTTP headers, and pre-sanitize for CRLF characters if it does.