Lucene search
GoogleOSV:GHSA-35FR-H7JR-HH86HistoryDec 06, 2019 - 6:55 p.m.
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria
2019-12-0618:55:47
Google
osv.dev
13
EPSS
0.002
Percentile
53.4%
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response.
Impact
- Cross-User Defacement
- Cache Poisoning
- Cross-Site Scripting (XSS)
- Page Hijacking
Root Cause
The root cause is due to the usage of Netty without the HTTP header validation.
Patches
This vulnerability has been patched in 0.97.0.
References
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)
https://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j
For more information
If you have any questions or comments about this advisory:
- Open an issue in GitHub
Related
prion
prion
Cross site scripting
2019-12-06 19:15:00
osv
osv
CVE-2019-16771
2019-12-06 19:15:10
Low severity vulnerability that affects com.linecorp.armeria:armeria
2019-12-05 18:40:51
HTTP Response Splitting in Styx
2020-03-03 15:32:03
veracode
veracode
HTTP Response Splitting
2019-12-09 03:22:19
cvelist
cvelist
nvd
nvd
CVE-2019-16771
2019-12-06 19:15:10
cve
cve
CVE-2019-16771
2019-12-06 19:15:10
github
github
Low severity vulnerability that affects com.linecorp.armeria:armeria
2019-12-05 18:40:51
HTTP Response Splitting in Styx
2020-03-03 15:32:03