CVE-2020-7622
Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
Description
### Impact - Cross Site Scripting - Cache Poisoning - Page Hijacking ### Patches This was fixed in version `2.2.1`. ### Workarounds If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters. ### References ##### [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')](https://cwe.mitre.org/data/definitions/113.html) I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability. ### Root Cause This roots cause back to this line in the Jooby codebase: https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102 The `DefaultHttpHeaders` takes a parameter `validate` which, when `true` (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting. ### Reported By This vulnerability was reported by @JLLeitschuh ([Twitter](https://twitter.com/JLLeitschuh)) ### For more information If you have any questions or comments about this advisory: * Open an issue in [jooby-project/jooby](https://github.com/jooby-project/jooby/issues)
How to fix CVE-2020-7622
To remediate CVE-2020-7622, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.1 or later
Is CVE-2020-7622 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.2.1