CVE-2022-41915 — MEDIUM (6.5)

Q: How severe is CVE-2022-41915?

CVE-2022-41915 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-41915?

Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Debian Debian Linux.

Vulnerability Description

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Netty	Netty	>= 4.1.83, < 4.1.86
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-436 CWE-113

References

https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4PatchThird Party Advisory
https://github.com/netty/netty/issues/13084ExploitIssue TrackingThird Party Advisory
https://github.com/netty/netty/pull/12760PatchThird Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frpMitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20230113-0004/Third Party Advisory
https://www.debian.org/security/2023/dsa-5316Third Party Advisory
https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4PatchThird Party Advisory
https://github.com/netty/netty/issues/13084ExploitIssue TrackingThird Party Advisory
https://github.com/netty/netty/pull/12760PatchThird Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frpMitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20230113-0004/Third Party Advisory
https://www.debian.org/security/2023/dsa-5316Third Party Advisory

FAQ

What is CVE-2022-41915?

CVE-2022-41915 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of val...

How severe is CVE-2022-41915?

CVE-2022-41915 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-41915?

Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Debian Debian Linux.