CVE-2020-7622
Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
描述
### Impact - Cross Site Scripting - Cache Poisoning - Page Hijacking ### Patches This was fixed in version `2.2.1`. ### Workarounds If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters. ### References ##### [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')](https://cwe.mitre.org/data/definitions/113.html) I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability. ### Root Cause This roots cause back to this line in the Jooby codebase: https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102 The `DefaultHttpHeaders` takes a parameter `validate` which, when `true` (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting. ### Reported By This vulnerability was reported by @JLLeitschuh ([Twitter](https://twitter.com/JLLeitschuh)) ### For more information If you have any questions or comments about this advisory: * Open an issue in [jooby-project/jooby](https://github.com/jooby-project/jooby/issues)
如何修補 CVE-2020-7622
要修補 CVE-2020-7622,請將受影響套件升級到下列已修補版本。
- —升級至 2.2.1 或更新版本
CVE-2020-7622 正在被利用嗎?
低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 2.2.1