[MAVEN:GHSA-GV3V-92V6-M48J] Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
Severity
Critical
Affected Packages
1
Fixed Packages
1
CVEs
1
Impact
- Cross Site Scripting
- Cache Poisoning
- Page Hijacking
Patches
This was fixed in version 2.2.1
.
Workarounds
If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.
References
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.
Root Cause
This roots cause back to this line in the Jooby codebase:
The DefaultHttpHeaders
takes a parameter validate
which, when true
(as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting.
Reported By
This vulnerability was reported by @JLLeitschuh (Twitter)
For more information
If you have any questions or comments about this advisory:
* Open an issue in jooby-project/jooby
Package | Affected Version |
---|---|
pkg:maven/io.jooby/jooby-netty | < 2.2.1 |
Package | Fixed Version |
---|---|
pkg:maven/io.jooby/jooby-netty | = 2.2.1 |
- ID
- MAVEN:GHSA-GV3V-92V6-M48J
- Severity
- critical
- URL
- https://github.com/advisories/GHSA-gv3v-92v6-m48j
- Published
-
2020-04-03T15:23:30
(4 years ago) - Modified
-
2023-02-01T05:03:00
(19 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/io.jooby/jooby-netty | io.jooby | jooby-netty | < 2.2.1 | |||
Fixed | pkg:maven/io.jooby/jooby-netty | io.jooby | jooby-netty | = 2.2.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |