CVE-2015-2156
HIGH7.5EPSS 3.3%Information Exposure in Netty
發布日:2020/6/30修改日:2026/4/28
描述
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
受影響套件(4)
- Debian/nettyfrom 0, < 1:4.0.31-1
- Maven/io.netty:netty>= 3.10.0, < 3.10.3.Final
- Maven/io.netty:netty-parent>= 4.0.0, < 4.0.28.Final
- Maven/org.jboss.netty:nettyfrom 0, < 3.9.8.Final
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(19)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-2156
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-2156
- PATCHhttps://github.com/netty/netty
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- WEBhttp://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1222923
- WEBhttps://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
- WEBhttps://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
- WEBhttps://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
- WEBhttps://github.com/netty/netty/pull/3754
- WEBhttps://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- WEBhttps://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
- WEBhttps://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
- WEBhttp://www.openwall.com/lists/oss-security/2015/05/17/1
- WEBhttp://www.securityfocus.com/bid/74704