HTTP Response Splitting Affecting io.jooby:jooby-netty package, versions [,1.6.9) [2.0.0, 2.2.1)


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.7% (79th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-IOJOOBY-564249
  • published 2 Apr 2020
  • disclosed 2 Apr 2020
  • credit Jonathan Leitschuh

How to fix?

Upgrade io.jooby:jooby-netty to version 1.6.9, 2.2.1 or higher.

Overview

io.jooby:jooby-netty is a netty implementation in jooby

Affected versions of this package are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.