Vulnerability Details : CVE-2022-41915
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
Exploit prediction scoring system (EPSS) score for CVE-2022-41915
Probability of exploitation activity in the next 30 days: 0.17%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 53 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-41915
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
GitHub, Inc. |
CWE ids for CVE-2022-41915
-
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Assigned by: security-advisories@github.com (Primary)
-
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2022-41915
-
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
[SECURITY] [DLA 3268-1] netty security updateMailing List;Third Party Advisory
-
https://github.com/netty/netty/issues/13084
CVE CVE-2022-41915: Incorrect range. Releases < 4.1.83.Final not affected · Issue #13084 · netty/netty · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://github.com/netty/netty/pull/12760
Reject HTTP/2 header values with invalid characters by chrisvest · Pull Request #12760 · netty/netty · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2023/dsa-5316
Debian -- Security Information -- DSA-5316-1 nettyThird Party Advisory
-
https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
HTTP Response splitting from assigning header value iterator · Advisory · netty/netty · GitHubMitigation;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20230113-0004/
December 2022 Apache Netty Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4
Merge pull request from GHSA-hh82-3pmq-7frp · netty/netty@fe18adf · GitHubPatch;Third Party Advisory
Products affected by CVE-2022-41915
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*