CVE-2015-2156 – io.netty:netty-parent

Package

Manager: maven
Name: io.netty:netty-parent
Vulnerable Version: >=4.0.0 <4.0.28.final

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00428 pctl0.61648

Details

Information Exposure in Netty Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Metadata

Created: 2020-06-30T21:01:21Z
Modified: 2021-09-22T18:45:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-xfv3-rrfm-f2rv
Finding: F184
Auto approve: 1