← back
CVE-2022-41915

CVE-2022-41915

CVSS 6.5 MEDIUMEPSS 0.9%CWE-113CWE-436
In short

Netty's HTTP header handling fails to validate values when using an iterator, allowing attackers to inject malicious headers that split HTTP responses and potentially hijack user sessions or inject malicious content.

Technical detail

CVE-2022-41915 affects Netty 4.1.83.Final through 4.1.85.Final where DefaultHttpHeaders.set() with an Iterator parameter lacks proper header value sanitization (CWE-113). An attacker can supply crafted header values containing CRLF sequences via iterator-based API calls to perform HTTP Response Splitting (CWE-436), bypassing validation that occurs in other code paths. Patched in 4.1.86.Final.

Summary generated and translated by AI from the official description.
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
netty · netty

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4https://github.com/netty/netty/issues/13084https://github.com/netty/netty/pull/12760https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frphttps://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlhttps://security.netapp.com/advisory/ntap-20230113-0004/https://www.debian.org/security/2023/dsa-5316