Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-16771

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

Published

2019-12-06T19:15:10.787

Last Modified

2024-11-21T04:31:09.460

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-113
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	linecorp	armeria	< 0.97.0	Yes

References

https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20 Patch, Vendor Advisory ([email protected])
https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86 Mailing List, Third Party Advisory ([email protected])
https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)