Описание
Information Exposure in Netty
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-2156
- https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
- https://github.com/netty/netty/pull/3754
- https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
- https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
- https://bugzilla.redhat.com/show_bug.cgi?id=1222923
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
- https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- http://www.openwall.com/lists/oss-security/2015/05/17/1
- http://www.securityfocus.com/bid/74704
Пакеты
io.netty:netty-parent
>= 4.0.0, < 4.0.28.Final
4.0.28.Final
org.jboss.netty:netty
< 3.9.8.Final
3.9.8.Final
org.jboss.netty:netty
>= 3.10.0, < 3.10.3.Final
3.10.3.Final
io.netty:netty
>= 3.10.0, < 3.10.3.Final
3.10.3.Final
io.netty:netty
< 3.9.8.Final
3.9.8.Final
Связанные уязвимости
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0 ...