Home > Vulnerability Database > CVE-2019-16771

Mend.io Vulnerability Database

CVE-2019-16771

Good to know:

Date: December 6, 2019

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

Language: Java

Severity Score

4.8

Related Resources (6)

Url: https://github.com/advisories/GHSA-24r8-fm9r-cpj2

Url: https://github.com/line/armeria/security/advisories/GHSA-24r8-fm9r-cpj2

Url: https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20

Url: https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-16771

Url: https://www.mend.io/vulnerability-database/CVE-2019-16771

Severity Score

4.8

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Injection

CWE-74

Top Fix

Upgrade Version

Upgrade to version armeria-0.97.0

Learn More

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-16771

Good to know:

Date: December 6, 2019

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?