Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2015-2156 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 2.6 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | netty | Will not fix |
| Red Hat Satellite 6 | netty | Will not fix |
| Red Hat JBoss Portal Platform 6 | netty | Will not fix |
| Red Hat JBoss Portal 5 | netty | Will not fix |
| Red Hat JBoss Operations Network 3 | netty | Not affected |
| Red Hat JBoss Fuse Service Works 6 | netty | Will not fix |
| Red Hat JBoss Enterprise SOA Platform 5 | netty | Will not fix |
| Red Hat JBoss EAP 6 | netty | Will not fix |
| Red Hat JBoss EAP 5 | netty | Will not fix |
| Red Hat JBoss Data Virtualization 6 | netty | Will not fix |
| Red Hat JBoss Data Grid 6 | netty | Will not fix |
| Red Hat JBoss BRMS 6 | netty | Will not fix |
| Red Hat JBoss BRMS 5 | netty | Will not fix |
| Red Hat JBoss BPMS 6 | netty | Not affected |
Vulmon