Vulnerability

CVE-2015-2156

 Report advisory or correction

CVSS Score 7.5 high

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-20

References

https://github.com/netty/netty/pull/3754
https://engineering.linkedin.com/security/look-netty_s-recent-security-update-cve--2015--2156
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2156

[CVE-2015-2156] CWE-20: Improper Input Validation

Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See io.netty/netty package information