Published: 18/10/2017 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Netty prior to 3.9.8.Final, 3.10.x prior to 3.10.3.Final, 4.0.x prior to 4.0.28.Final, and 4.1.x prior to 4.1.0.Beta5 and Play Framework 2.x prior to 2.3.9 might allow remote malicious users to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Vulnerable Product	Search on Vulmon	Subscribe to Product
netty netty 4.0.16
netty netty 4.0.17
netty netty 4.0.18
netty netty 4.0.19
netty netty 4.0.20
netty netty 4.0.21
netty netty 4.0.22
netty netty 4.0.23
netty netty 4.0.24
netty netty 4.0.25
netty netty 4.0.26
netty netty 4.0.27
netty netty
netty netty 3.10.0
netty netty 3.10.1
netty netty 3.10.2
netty netty 4.0.1
netty netty 4.0.2
netty netty 4.0.3
netty netty 4.0.4
netty netty 4.0.5
netty netty 4.0.6
netty netty 4.0.7
netty netty 4.0.8
netty netty 4.0.9
netty netty 4.0.10
netty netty 4.0.11
netty netty 4.0.12
netty netty 4.0.13
netty netty 4.0.15
netty netty 4.0.0
netty netty 4.0.14
netty netty 4.1.0
playframework play framework 2.3
playframework play framework 2.2.5
playframework play framework 2.2.4
playframework play framework 2.2.3
playframework play framework 2.2.2
playframework play framework 2.2.1
playframework play framework 2.2.0
playframework play framework 2.1.6
playframework play framework 2.1.5
playframework play framework 2.1.4
playframework play framework 2.1.3
playframework play framework 2.1.2
playframework play framework 2.1.1
playframework play framework 2.0.1
playframework play framework 2.0
lightbend play framework 2.0
lightbend play framework 2.0.2
lightbend play framework 2.0.3
lightbend play framework 2.0.4
lightbend play framework 2.0.5
lightbend play framework 2.0.6
lightbend play framework 2.0.7
lightbend play framework 2.0.8
lightbend play framework 2.1.0
lightbend play framework 2.1.1
lightbend play framework 2.2.0
lightbend play framework 2.2.1
lightbend play framework 2.2.2
lightbend play framework 2.2.6
lightbend play framework 2.3.0
lightbend play framework 2.3.1
lightbend play framework 2.3.2
lightbend play framework 2.3.3
lightbend play framework 2.3.4
lightbend play framework 2.3.5
lightbend play framework 2.3.6
lightbend play framework 2.3.7
lightbend play framework 2.3.8

Netty before 398Final, 310x before 3103Final, 40x before 4028Final, and 41x before 410Beta5 and Play Framework 2x before 239 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters ...

CWE-20 https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass https://github.com/netty/netty/pull/3754 https://bugzilla.redhat.com/show_bug.cgi?id=1222923 http://www.securityfocus.com/bid/74704 http://www.openwall.com/lists/oss-security/2015/05/17/1 http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2015-2156

CVE-2015-2156

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect