1. Home
  2. Vulnerabilities
  3. CVE-2022-41915

CVE-2022-41915

CVSS v3.1 6.5 (Medium)
65% Progress
EPSS 0.22 % (61th)
0.22% Progress
Affected Products 2
Advisories 5
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.

Weaknesses
CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-436
Interpretation Conflict
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2022-12-13 07:15:13
(21 months ago)
Updated Date
2023-03-01 15:09:57
(18 months ago)

Affected Products

Debian

Netty

Configuration #1

    CPE23 From Up To
  Netty from 4.1.83 version and prior 4.1.86 version cpe:2.3:a:netty:netty >= 4.1.83 < 4.1.86

Configuration #2

    CPE23 From Up To
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0