HTTP Response Splitting

Affecting io.jooby:jooby-netty artifact, versions [,2.2.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

io.jooby:jooby-netty is a netty implementation in jooby

Affected versions of this package are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.

Remediation

Upgrade io.jooby:jooby-netty to version 2.2.1 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Jonathan Leitschuh
CVE
CVE-2020-7622
CWE
CWE-113
Snyk ID
SNYK-JAVA-IOJOOBY-564249
Disclosed
02 Apr, 2020
Published
02 Apr, 2020