GHSA-GV3V-92V6-M48J

Vulnerability from github – Published: 2020-04-03 15:23 – Updated: 2021-07-29 15:47
VLAI?
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
Details

Impact

  • Cross Site Scripting
  • Cache Poisoning
  • Page Hijacking

Patches

This was fixed in version 2.2.1.

Workarounds

If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.

References

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

I've been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.

Root Cause

This roots cause back to this line in the Jooby codebase:

https://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102

The DefaultHttpHeaders takes a parameter validate which, when true (as it is for the no-arg constructor) validates that the header isn't being abused to do HTTP Response Splitting.

Reported By

This vulnerability was reported by @JLLeitschuh (Twitter)

For more information

If you have any questions or comments about this advisory: * Open an issue in jooby-project/jooby

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jooby:jooby-netty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-02T23:59:56Z",
    "nvd_published_at": "2020-04-06T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\n - Cross Site Scripting\n - Cache Poisoning\n - Page Hijacking\n\n### Patches\n\nThis was fixed in version `2.2.1`.\n\n### Workarounds\n\nIf you are unable to update, ensure that user supplied data isn\u0027t able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters.\n\n### References\n\n##### [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)](https://cwe.mitre.org/data/definitions/113.html)\n\nI\u0027ve been poking at libraries to see if they are vulnerable to HTTP Response Splitting and Jooby is my third case of finding this vulnerability.\n\n### Root Cause\n\nThis roots cause back to this line in the Jooby codebase:\n\nhttps://github.com/jooby-project/jooby/blob/93cfc80aa20c188f71a442ea7a1827da380e1c27/modules/jooby-netty/src/main/java/io/jooby/internal/netty/NettyContext.java#L102\n\nThe `DefaultHttpHeaders` takes a parameter `validate` which, when `true` (as it is for the no-arg constructor) validates that the header isn\u0027t being abused to do HTTP Response Splitting.\n\n### Reported By\n\nThis vulnerability was reported by @JLLeitschuh ([Twitter](https://twitter.com/JLLeitschuh))\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [jooby-project/jooby](https://github.com/jooby-project/jooby/issues)",
  "id": "GHSA-gv3v-92v6-m48j",
  "modified": "2021-07-29T15:47:43Z",
  "published": "2020-04-03T15:23:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7622"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby (\u0027HTTP Response Splitting)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.