[MAVEN:GHSA-GV3V-92V6-M48J] Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)

Severity Critical

Affected Packages 1

Fixed Packages 1

CVEs 1

Impact

Cross Site Scripting
Cache Poisoning
Page Hijacking

Patches

This was fixed in version 2.2.1.

Workarounds

If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.

References

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.

Root Cause

This roots cause back to this line in the Jooby codebase:

https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102

The DefaultHttpHeaders takes a parameter validate which, when true (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting.

Reported By

This vulnerability was reported by @JLLeitschuh (Twitter)

For more information

If you have any questions or comments about this advisory:
* Open an issue in jooby-project/jooby

Package	Affected Version
pkg:maven/io.jooby/jooby-netty	< 2.2.1

Package	Fixed Version
pkg:maven/io.jooby/jooby-netty	= 2.2.1

ID: MAVEN:GHSA-GV3V-92V6-M48J
Severity: critical
URL: https://github.com/advisories/GHSA-gv3v-92v6-m48j
Published: 2020-04-03T15:23:30
(4 years ago)
Modified: 2023-02-01T05:03:00
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
			https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4
			https://nvd.nist.gov/vuln/detail/CVE-2020-7622
			https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249
			https://github.com/advisories/GHSA-gv3v-92v6-m48j

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/io.jooby/jooby-netty	io.jooby	jooby-netty	< 2.2.1
Fixed	pkg:maven/io.jooby/jooby-netty	io.jooby	jooby-netty	= 2.2.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date