First published: Tue Dec 13 2022(Updated: )
Netty is vulnerable to HTTP response splitting attacks, caused by a flaw when calling DefaultHttpHeaders.set with an iterator of values. A remote attacker could exploit this vulnerability to inject arbitrary HTTP/1.1 response header in some form and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Disconnected Log Collector | <=v1.0 - v1.8.2 | |
Netty Netty | >=4.1.83<4.1.86 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
debian/netty | <=1:4.1.33-1+deb10u2 | 1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u1 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9 |
ubuntu/netty | <1:4.1.48-5ubuntu0.1 | 1:4.1.48-5ubuntu0.1 |
ubuntu/netty | <1:4.1.7-4ubuntu0.1+ | 1:4.1.7-4ubuntu0.1+ |
ubuntu/netty | <1:4.1.45-1ubuntu0.1~ | 1:4.1.45-1ubuntu0.1~ |
ubuntu/netty | <1:4.1.48-4+ | 1:4.1.48-4+ |
ubuntu/netty | <1:4.0.34-1ubuntu0.1~ | 1:4.0.34-1ubuntu0.1~ |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-41915 is a vulnerability in the Netty project that allows malicious header values to bypass validation when using the DefaultHttpHeaders.set method with an iterator of values.
CVE-2022-41915 has a severity rating of high (7 out of 10).
Netty versions prior to 4.1.83.Final and starting from 4.1.48-5ubuntu0.1, 4.1.7-4ubuntu0.1+, 4.1.45-1ubuntu0.1~, 4.1.48-4+, 4.0.34-1ubuntu0.1~, 4.1.33-1+deb10u3, 4.1.48-4+deb11u1, and 4.1.48-7 are affected by CVE-2022-41915.
To fix CVE-2022-41915, update Netty to version 4.1.86.Final or later.
You can find more information about CVE-2022-41915 in the Netty project's security advisory and commit links provided.