Vulnerability Details : CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Vulnerability category: Input validation
Products affected by CVE-2015-2156
- cpe:2.3:a:playframework:play_framework:2.2.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc4:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.3:m1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m3:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:2.9.x-backport:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:beta:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:rc1-2.9.x-backport:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.24:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2156
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2156
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-2156
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2156
-
http://www.openwall.com/lists/oss-security/2015/05/17/1
oss-security - Netty/Play's Security Updates (CVE-2015-2156)Mailing List;Third Party Advisory
-
https://github.com/netty/netty/pull/3754
Validate cookie name and value characters by slandelle · Pull Request #3754 · netty/netty · GitHubThird Party Advisory
-
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
Pony Mail!
-
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
[jira] [Commented] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure) - Pony Mail
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
[SECURITY] Fedora 22 Update: netty-4.0.28-1.fc22Third Party Advisory
-
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 - Pony Mail
-
http://www.securityfocus.com/bid/74704
Netty and Play Framework CVE-2015-2156 Session Hijacking VulnerabilityThird Party Advisory;VDB Entry
-
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Play Framework Security AdvisoryThird Party Advisory
-
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
Netty.news: Netty 3.9.8.Final and 3.10.3.Final releasedVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
[SECURITY] Fedora 21 Update: netty-4.0.28-1.fc21Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
1222923 – (CVE-2015-2156) CVE-2015-2156 netty: HttpOnly cookie bypassIssue Tracking;Third Party Advisory
-
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
[GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities - Pony Mail
Jump to