Vulnerability Details CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.022
EPSS Ranking 83.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 4.3
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- http://www.openwall.com/lists/oss-security/2015/05/17/1
- http://www.securityfocus.com/bid/74704
- https://bugzilla.redhat.com/show_bug.cgi?id=1222923
- https://github.com/netty/netty/pull/3754
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
- http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
- http://www.openwall.com/lists/oss-security/2015/05/17/1
- http://www.securityfocus.com/bid/74704
- https://bugzilla.redhat.com/show_bug.cgi?id=1222923
- https://github.com/netty/netty/pull/3754
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Products affected by CVE-2015-2156
-
cpe:2.3:a:lightbend:play_framework:2.0
-
cpe:2.3:a:lightbend:play_framework:2.0.2
-
cpe:2.3:a:lightbend:play_framework:2.0.3
-
cpe:2.3:a:lightbend:play_framework:2.0.4
-
cpe:2.3:a:lightbend:play_framework:2.0.5
-
cpe:2.3:a:lightbend:play_framework:2.0.6
-
cpe:2.3:a:lightbend:play_framework:2.0.7
-
cpe:2.3:a:lightbend:play_framework:2.0.8
-
cpe:2.3:a:lightbend:play_framework:2.1.0
-
cpe:2.3:a:lightbend:play_framework:2.1.1
-
cpe:2.3:a:lightbend:play_framework:2.2.0
-
cpe:2.3:a:lightbend:play_framework:2.2.1
-
cpe:2.3:a:lightbend:play_framework:2.2.2
-
cpe:2.3:a:lightbend:play_framework:2.2.6
-
cpe:2.3:a:lightbend:play_framework:2.3.0
-
cpe:2.3:a:lightbend:play_framework:2.3.1
-
cpe:2.3:a:lightbend:play_framework:2.3.2
-
cpe:2.3:a:lightbend:play_framework:2.3.3
-
cpe:2.3:a:lightbend:play_framework:2.3.4
-
cpe:2.3:a:lightbend:play_framework:2.3.5
-
cpe:2.3:a:lightbend:play_framework:2.3.6
-
cpe:2.3:a:lightbend:play_framework:2.3.7
-
cpe:2.3:a:lightbend:play_framework:2.3.8
-
cpe:2.3:a:netty:netty:-
-
cpe:2.3:a:netty:netty:3.10.0
-
cpe:2.3:a:netty:netty:3.10.1
-
cpe:2.3:a:netty:netty:3.10.2
-
cpe:2.3:a:netty:netty:3.2.10
-
cpe:2.3:a:netty:netty:3.2.4
-
cpe:2.3:a:netty:netty:3.2.5
-
cpe:2.3:a:netty:netty:3.2.6
-
cpe:2.3:a:netty:netty:3.2.7
-
cpe:2.3:a:netty:netty:3.2.8
-
cpe:2.3:a:netty:netty:3.2.9
-
cpe:2.3:a:netty:netty:3.3.0
-
cpe:2.3:a:netty:netty:3.3.1
-
cpe:2.3:a:netty:netty:3.4.0
-
cpe:2.3:a:netty:netty:3.4.1
-
cpe:2.3:a:netty:netty:3.4.2
-
cpe:2.3:a:netty:netty:3.4.3
-
cpe:2.3:a:netty:netty:3.4.4
-
cpe:2.3:a:netty:netty:3.4.5
-
cpe:2.3:a:netty:netty:3.4.6
-
cpe:2.3:a:netty:netty:3.5.0
-
cpe:2.3:a:netty:netty:3.5.1
-
cpe:2.3:a:netty:netty:3.5.10
-
cpe:2.3:a:netty:netty:3.5.11
-
cpe:2.3:a:netty:netty:3.5.12
-
cpe:2.3:a:netty:netty:3.5.13
-
cpe:2.3:a:netty:netty:3.5.2
-
cpe:2.3:a:netty:netty:3.5.3
-
cpe:2.3:a:netty:netty:3.5.4
-
cpe:2.3:a:netty:netty:3.5.5
-
cpe:2.3:a:netty:netty:3.5.6
-
cpe:2.3:a:netty:netty:3.5.7
-
cpe:2.3:a:netty:netty:3.5.8
-
cpe:2.3:a:netty:netty:3.5.9
-
cpe:2.3:a:netty:netty:3.6.0
-
cpe:2.3:a:netty:netty:3.6.1
-
cpe:2.3:a:netty:netty:3.6.10
-
cpe:2.3:a:netty:netty:3.6.2
-
cpe:2.3:a:netty:netty:3.6.3
-
cpe:2.3:a:netty:netty:3.6.4
-
cpe:2.3:a:netty:netty:3.6.5
-
cpe:2.3:a:netty:netty:3.6.6
-
cpe:2.3:a:netty:netty:3.6.7
-
cpe:2.3:a:netty:netty:3.6.8
-
cpe:2.3:a:netty:netty:3.6.9
-
cpe:2.3:a:netty:netty:3.7.0
-
cpe:2.3:a:netty:netty:3.7.1
-
cpe:2.3:a:netty:netty:3.8.0
-
cpe:2.3:a:netty:netty:3.8.1
-
cpe:2.3:a:netty:netty:3.8.2
-
cpe:2.3:a:netty:netty:3.8.3
-
cpe:2.3:a:netty:netty:3.9.0
-
cpe:2.3:a:netty:netty:3.9.1
-
cpe:2.3:a:netty:netty:3.9.1.1
-
cpe:2.3:a:netty:netty:3.9.2
-
cpe:2.3:a:netty:netty:3.9.3
-
cpe:2.3:a:netty:netty:3.9.4
-
cpe:2.3:a:netty:netty:3.9.5
-
cpe:2.3:a:netty:netty:3.9.6
-
cpe:2.3:a:netty:netty:3.9.7
-
cpe:2.3:a:netty:netty:4.0.0
-
cpe:2.3:a:netty:netty:4.0.1
-
cpe:2.3:a:netty:netty:4.0.10
-
cpe:2.3:a:netty:netty:4.0.11
-
cpe:2.3:a:netty:netty:4.0.12
-
cpe:2.3:a:netty:netty:4.0.13
-
cpe:2.3:a:netty:netty:4.0.14
-
cpe:2.3:a:netty:netty:4.0.15
-
cpe:2.3:a:netty:netty:4.0.16
-
cpe:2.3:a:netty:netty:4.0.17
-
cpe:2.3:a:netty:netty:4.0.18
-
cpe:2.3:a:netty:netty:4.0.19
-
cpe:2.3:a:netty:netty:4.0.2
-
cpe:2.3:a:netty:netty:4.0.20
-
cpe:2.3:a:netty:netty:4.0.21
-
cpe:2.3:a:netty:netty:4.0.22
-
cpe:2.3:a:netty:netty:4.0.23
-
cpe:2.3:a:netty:netty:4.0.24
-
cpe:2.3:a:netty:netty:4.0.25
-
cpe:2.3:a:netty:netty:4.0.26
-
cpe:2.3:a:netty:netty:4.0.27
-
cpe:2.3:a:netty:netty:4.0.3
-
cpe:2.3:a:netty:netty:4.0.4
-
cpe:2.3:a:netty:netty:4.0.5
-
cpe:2.3:a:netty:netty:4.0.6
-
cpe:2.3:a:netty:netty:4.0.7
-
cpe:2.3:a:netty:netty:4.0.8
-
cpe:2.3:a:netty:netty:4.0.9
-
cpe:2.3:a:netty:netty:4.1.0
-
cpe:2.3:a:playframework:play_framework:2.0
-
cpe:2.3:a:playframework:play_framework:2.0.1
-
cpe:2.3:a:playframework:play_framework:2.1.1
-
cpe:2.3:a:playframework:play_framework:2.1.2
-
cpe:2.3:a:playframework:play_framework:2.1.3
-
cpe:2.3:a:playframework:play_framework:2.1.4
-
cpe:2.3:a:playframework:play_framework:2.1.5
-
cpe:2.3:a:playframework:play_framework:2.1.6
-
cpe:2.3:a:playframework:play_framework:2.2.0
-
cpe:2.3:a:playframework:play_framework:2.2.1
-
cpe:2.3:a:playframework:play_framework:2.2.2
-
cpe:2.3:a:playframework:play_framework:2.2.3
-
cpe:2.3:a:playframework:play_framework:2.2.4
-
cpe:2.3:a:playframework:play_framework:2.2.5
-
cpe:2.3:a:playframework:play_framework:2.3