Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-41915

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

Published

2022-12-13T07:15:13.557

Last Modified

2024-11-21T07:24:03.570

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-113
CWE-436
Type: Primary
CWE-436

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	netty	netty	< 4.1.86	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes

References

https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 Patch, Third Party Advisory ([email protected])
https://github.com/netty/netty/issues/13084 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://github.com/netty/netty/pull/12760 Patch, Third Party Advisory ([email protected])
https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp Mitigation, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20230113-0004/ Third Party Advisory ([email protected])
https://www.debian.org/security/2023/dsa-5316 Third Party Advisory ([email protected])
https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/netty/netty/issues/13084 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/netty/netty/pull/12760 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230113-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2023/dsa-5316 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)