CVE-2022-41915
Debian Security Advisory 5316-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
El proyecto Netty es un framework de aplicación de red asíncrona impulsado por eventos. A partir de la versión 4.1.83.Final y anteriores a la 4.1.86.Final, al llamar a `DefaultHttpHeadesr.set` con un _iterator_ de valores, no se realizaba la validación del valor del encabezado, lo que permitía que los valores de encabezado maliciosos en el iterador realizaran la división de respuesta HTTP. Este problema se solucionó en la versión 4.1.86.Final. Los integradores pueden solucionar el problema cambiando la llamada `DefaultHttpHeaders.set(CharSequence, Iterator)` a una llamada `remove()` y llamando a `add()` en un bucle sobre el iterador de valores.
It was discovered that Netty's Zlib decoders did not limit memory allocations. A remote attacker could possibly use this issue to cause Netty to exhaust memory via malicious input, leading to a denial of service. This issue only affected Ubuntu 16.04 ESM and Ubuntu 20.04 ESM. It was discovered that Netty created temporary files with excessive permissions. A local attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM, and Ubuntu 20.04 ESM.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-30 CVE Reserved
- 2022-12-13 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
- CWE-436: Interpretation Conflict
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp | Mitigation | |
| https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20230113-0004 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/netty/netty/issues/13084 | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 | 2023-03-01 | |
| https://github.com/netty/netty/pull/12760 | 2023-03-01 |
| URL | Date | SRC |
|---|---|---|
| https://www.debian.org/security/2023/dsa-5316 | 2023-03-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Netty Search vendor "Netty" | Netty Search vendor "Netty" for product "Netty" | >= 4.1.83 < 4.1.86 Search vendor "Netty" for product "Netty" and version " >= 4.1.83 < 4.1.86" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||