Описание
Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
Impact
- Cross Site Scripting
- Cache Poisoning
- Page Hijacking
Patches
This was fixed in version 2.2.1.
Workarounds
If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.
References
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.
Root Cause
This roots cause back to this line in the Jooby codebase:
The DefaultHttpHeaders takes a parameter validate which, when true (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting.
Reported By
This vulnerability was reported by @JLLeitschuh (Twitter)
For more information
If you have any questions or comments about this advisory:
- Open an issue in jooby-project/jooby
Пакеты
io.jooby:jooby-netty
< 2.2.1
2.2.1
Связанные уязвимости
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.