CVE-2022-41915

Name of the Vulnerable Software and Affected Versions Netty versions 4.1.83.Final through 4.1.85.Final Netty versions prior to 4.1.86.Final

Description The Netty project is an event-driven asynchronous network application framework. When calling DefaultHttpHeaders.set with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue can be exploited by a remote attacker to disclose and modify protected information.

Recommendations For Netty versions 4.1.83.Final through 4.1.85.Final, update to version 4.1.86.Final to resolve the issue. For versions prior to 4.1.86.Final, integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call into a remove() call, and call add() in a loop over the iterator of values.