CVE-2015-2156
CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.htmlhttp://netty.io/news/2015/05/08/3-9-8-Final-and-3.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1222923https://github.com/netty/netty/pull/3754https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3Ehttps://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3Ehttps://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Ehttps://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypasshttp://www.openwall.com/lists/oss-security/2015/05/17/1http://www.securityfocus.com/bid/74704