Main Vulnerability Database Vulnerabilities #VU70119

#VU70119 HTTP response splitting in Netty - CVE-2022-41915

Published: December 12, 2022

Vulnerability identifier: #VU70119

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-41915

CWE-ID: CWE-113

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Netty

Software vendor:
Netty project

Description

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not validate header values when calling DefaultHttpHeaders.set with an iterator of values. A remote attacker can inject arbitrary header values and perform HTTP splitting attacks.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Remediation

Install updates from vendor's website.

External links

https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp