Home > Vulnerability Database > CVE-2015-2156

Mend.io Vulnerability Database

CVE-2015-2156

Good to know:

Date: October 18, 2017

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Language: Java

Severity Score

7.5

Related Resources (22)

Url: https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E

Url: http://www.securityfocus.com/bid/74704

Url: http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html

Url: https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E

Url: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html

Url: https://github.com/netty/netty/pull/3754

Url: https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55

Url: https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9

Url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

Url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-2156

Url: http://www.openwall.com/lists/oss-security/2015/05/17/1

Url: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E

Url: http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html

Url: https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E

Url: https://github.com/netty/netty

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1222923

Url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

Url: https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E

Url: https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752

Url: https://www.mend.io/vulnerability-database/CVE-2015-2156

Severity Score

7.5

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2015-2156

Good to know:

Date: October 18, 2017

Language: Java

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?