Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)

2020-04-0315:23:30

Google

osv.dev

0.006 Low

EPSS

Percentile

78.1%

JSON

Impact

Cross Site Scripting
Cache Poisoning
Page Hijacking

Patches

This was fixed in version 2.2.1.

Workarounds

If you are unable to update, ensure that user supplied data isn’t able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.

References

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)

I’ve been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.

Root Cause

This roots cause back to this line in the Jooby codebase:

https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102

The DefaultHttpHeaders takes a parameter validate which, when true (as it is for the no-arg constructor) validates that the header isn’t being abused to do HTTP Response Splitting.

Reported By

This vulnerability was reported by @JLLeitschuh (Twitter)

For more information

If you have any questions or comments about this advisory:

Open an issue in jooby-project/jooby

CPENameOperatorVersion
io.jooby:jooby-nettyeq2.0.0.RC3
io.jooby:jooby-nettyeq2.1.0
io.jooby:jooby-nettyeq2.0.0.M3
io.jooby:jooby-nettyeq2.0.0.RC2
io.jooby:jooby-nettyeq2.0.5
io.jooby:jooby-nettyeq2.0.2
io.jooby:jooby-nettyeq2.0.6
io.jooby:jooby-nettyeq2.0.0.M1
io.jooby:jooby-nettyeq2.0.1
io.jooby:jooby-nettyeq2.0.0.RC1

Name	Operator	Version
io.jooby:jooby-netty	eq	2.0.0.RC3
io.jooby:jooby-netty	eq	2.1.0
io.jooby:jooby-netty	eq	2.0.0.M3
io.jooby:jooby-netty	eq	2.0.0.RC2
io.jooby:jooby-netty	eq	2.0.5
io.jooby:jooby-netty	eq	2.0.2
io.jooby:jooby-netty	eq	2.0.6
io.jooby:jooby-netty	eq	2.0.0.M1
io.jooby:jooby-netty	eq	2.0.1
io.jooby:jooby-netty	eq	2.0.0.RC1