CVE-2020-7622 – io.jooby:jooby-netty

Package

Manager: maven
Name: io.jooby:jooby-netty
Vulnerable Version: >=0 <2.2.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00451 pctl0.62947

Details

Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting) ### Impact - Cross Site Scripting - Cache Poisoning - Page Hijacking ### Patches This was fixed in version `2.2.1`. ### Workarounds If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters. ### References ##### [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')](https://cwe.mitre.org/data/definitions/113.html) I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability. ### Root Cause This roots cause back to this line in the Jooby codebase: https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102 The `DefaultHttpHeaders` takes a parameter `validate` which, when `true` (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting. ### Reported By This vulnerability was reported by @JLLeitschuh ([Twitter](https://twitter.com/JLLeitschuh)) ### For more information If you have any questions or comments about this advisory: * Open an issue in [jooby-project/jooby](https://github.com/jooby-project/jooby/issues)

Metadata

Created: 2020-04-03T15:23:30Z
Modified: 2021-07-29T15:47:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gv3v-92v6-m48j/GHSA-gv3v-92v6-m48j.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-gv3v-92v6-m48j
Finding: F110
Auto approve: 1