V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2022-41915
DEB
Medium

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, wh…

CVSS
6.5
Medium
EPSS
0.01
p54
Published
2022-01-01
Updated
2022-01-01
Description

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

Tags · CWE
Pre-auth
CWE-113
CAPEC-31
CAPEC-34
CAPEC-85
CAPEC-105
Affected products
Debian_linux
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Timeline
2022-01-01
Published
2022-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: L
Low (L)
Integrity Impact
I: L
Low (L)
Availability Impact
A: N
None (N)
Exploit indicators
EPSS
0.009 · p54
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-31 · CWE-113
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
nettyTracked
netty-3.9Tracked
netty-3.9Tracked
netty-3.9Tracked
debian_linux*Tracked
netty*Tracked
Source databases
DEB
CVE
UBU
Related vulnerabilities