Vulnerability Details : CVE-2020-7622
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
Products affected by CVE-2020-7622
- cpe:2.3:a:jooby:jooby:*:*:*:*:*:*:*:*
- cpe:2.3:a:jooby:jooby:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-7622
0.70%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-7622
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
Snyk |
References for CVE-2020-7622
-
https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249
HTTP Response Splitting in io.jooby:jooby-netty | SnykPatch;Third Party Advisory
-
https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting) · Advisory · jooby-project/jooby · GitHubExploit;Third Party Advisory
-
https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('… · jooby-project/jooby@b66e334 · GitHubPatch;Third Party Advisory
Jump to