Home > Vulnerability Database > CVE-2022-41915

Mend.io Vulnerability Database

CVE-2022-41915

Good to know:

Date: December 12, 2022

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling "DefaultHttpHeadesr.set" with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the "DefaultHttpHeaders.set(CharSequence, Iterator<?>)" call, into a "remove()" call, and call "add()" in a loop over the iterator of values. After conducting further research, Mend has determined that versions 4.1.80.Final up to and including 4.1.85.Final of netty-codec-http are vulnerable to CVE-2022-41915.

Language: Java

Severity Score

6.5

Related Resources (13)

Url: https://security-tracker.debian.org/tracker/CVE-2022-41915

Url: https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0

Url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

Url: https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-41915

Url: https://github.com/netty/netty/pull/12760

Url: https://security.netapp.com/advisory/ntap-20230113-0004/

Url: https://github.com/netty/netty

Url: https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4

Url: https://github.com/netty/netty/issues/13084

Url: https://www.debian.org/security/2023/dsa-5316

Url: https://security.netapp.com/advisory/ntap-20230113-0004

Url: https://www.mend.io/vulnerability-database/CVE-2022-41915

Severity Score

6.5

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-113

Interpretation Conflict

CWE-436

Top Fix

Upgrade Version

Upgrade to version io.netty:netty-codec-http:4.1.86.Final

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-41915

Good to know:

Date: December 12, 2022

Language: Java

Severity Score

Related Resources (13)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?