What is CVE-2022-41915?

CVE-2022-41915 is a vulnerability in the Netty project that allows malicious header values to bypass validation when using the DefaultHttpHeaders.set method with an iterator of values.

How severe is CVE-2022-41915?

CVE-2022-41915 has a severity rating of high (7 out of 10).

Which versions of Netty are affected by CVE-2022-41915?

Netty versions prior to 4.1.83.Final and starting from 4.1.48-5ubuntu0.1, 4.1.7-4ubuntu0.1+, 4.1.45-1ubuntu0.1~, 4.1.48-4+, 4.0.34-1ubuntu0.1~, 4.1.33-1+deb10u3, 4.1.48-4+deb11u1, and 4.1.48-7 are affected by CVE-2022-41915.

How can I fix CVE-2022-41915?

To fix CVE-2022-41915, update Netty to version 4.1.86.Final or later.

Where can I find more information about CVE-2022-41915?

You can find more information about CVE-2022-41915 in the Netty project's security advisory and commit links provided.

Vulnerability/
CVE-2022-41915

medium

6.5

CWE

113 436

13/12/2022

29/9/2023

CVE-2022-41915

First published: Tue Dec 13 2022(Updated: )

Netty is vulnerable to HTTP response splitting attacks, caused by a flaw when calling DefaultHttpHeaders.set with an iterator of values. A remote attacker could exploit this vulnerability to inject arbitrary HTTP/1.1 response header in some form and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
IBM Disconnected Log Collector	<=v1.0 - v1.8.2
Netty Netty	>=4.1.83<4.1.86
Debian Debian Linux	=10.0
Debian Debian Linux	=11.0
debian/netty	<=1:4.1.33-1+deb10u2	1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u1 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9
ubuntu/netty	<1:4.1.48-5ubuntu0.1	1:4.1.48-5ubuntu0.1
ubuntu/netty	<1:4.1.7-4ubuntu0.1+	1:4.1.7-4ubuntu0.1+
ubuntu/netty	<1:4.1.45-1ubuntu0.1~	1:4.1.45-1ubuntu0.1~
ubuntu/netty	<1:4.1.48-4+	1:4.1.48-4+
ubuntu/netty	<1:4.0.34-1ubuntu0.1~	1:4.0.34-1ubuntu0.1~

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-41915?
CVE-2022-41915 is a vulnerability in the Netty project that allows malicious header values to bypass validation when using the DefaultHttpHeaders.set method with an iterator of values.
How severe is CVE-2022-41915?
CVE-2022-41915 has a severity rating of high (7 out of 10).
Which versions of Netty are affected by CVE-2022-41915?
Netty versions prior to 4.1.83.Final and starting from 4.1.48-5ubuntu0.1, 4.1.7-4ubuntu0.1+, 4.1.45-1ubuntu0.1~, 4.1.48-4+, 4.0.34-1ubuntu0.1~, 4.1.33-1+deb10u3, 4.1.48-4+deb11u1, and 4.1.48-7 are affected by CVE-2022-41915.
How can I fix CVE-2022-41915?
To fix CVE-2022-41915, update Netty to version 4.1.86.Final or later.
Where can I find more information about CVE-2022-41915?
You can find more information about CVE-2022-41915 in the Netty project's security advisory and commit links provided.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/debian-bugs
alias/CVE-2022-41915
collector/ibm-support
collector/launchpad-cve
source/Launchpad
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/nvd-index
collector/security-tracker-debian
source/Debian
collector/usn-cve
source/Ubuntu
vendor/ibm
canonical/ibm disconnected log collector
version/ibm disconnected log collector/v1.0 - v1.8.2
vendor/netty
canonical/netty netty
version/netty netty/4.1.83
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
version/debian debian linux/11.0
package-manager/debian
package-manager/ubuntu