PRIOn knowledge basePRION:CVE-2015-2156Input validation
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
References
netty.io/news/2015/05/08/3-9-8-Final-and-3.html
www.openwall.com/lists/oss-security/2015/05/17/1
www.securityfocus.com/bid/74704
bugzilla.redhat.com/show_bug.cgi?id=1222923
github.com/netty/netty/pull/3754
lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Related
