V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2015-2156
DEB
HighConfirmedExploit available

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before…

CVSS
7.5
High
EPSS
0.05
p91
Published
2015-01-01
Updated
2015-01-01
Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Tags · CWE
Pre-auth
CWE-20
CAPEC-3
CAPEC-7
CAPEC-8
CAPEC-9
CAPEC-10
CAPEC-13
CAPEC-14
CAPEC-22
CAPEC-23
CAPEC-24
CAPEC-28
CAPEC-31
CAPEC-42
CAPEC-43
CAPEC-45
CAPEC-46
CAPEC-47
CAPEC-52
CAPEC-53
CAPEC-63
CAPEC-64
CAPEC-67
CAPEC-71
CAPEC-72
CAPEC-73
CAPEC-78
CAPEC-79
CAPEC-80
CAPEC-81
CAPEC-83
CAPEC-85
CAPEC-88
CAPEC-101
CAPEC-104
CAPEC-108
CAPEC-109
CAPEC-110
CAPEC-120
CAPEC-135
CAPEC-136
CAPEC-153
CAPEC-182
CAPEC-209
CAPEC-230
CAPEC-231
CAPEC-250
CAPEC-261
CAPEC-267
CAPEC-473
CAPEC-588
CAPEC-664
Affected products
NettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNettyNetty
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Timeline
2015-01-01
Published
2015-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: N
None (N)
Availability Impact
A: N
None (N)
Exploit indicators
EPSS
0.054 · p91
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-267 · CWE-20
└ via CAPEC-473 · CWE-20
└ via CAPEC-31 · CWE-20
└ via CAPEC-473 · CWE-20
└ via CAPEC-13 · CWE-20
Known exploits — Сканер-ВС
CVE-2015-2156
github-poc · https://github.com/dawetmaster/CVE-2015-2156-netty-vulnerable
Enterprise
Affected products
ProductVendorStatus
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
Showing first 20 of 44
Source databases
DEB
CVE
UBU