Netty vulnerable to HTTP Response splitting from assigning header value iterator
Package
Affected versions
>= 4.1.83.Final, < 4.1.86.Final
Patched versions
4.1.86.Final
Description
Published to the GitHub Advisory Database
Dec 12, 2022
Reviewed
Dec 12, 2022
Published by the National Vulnerability Database
Dec 13, 2022
Last updated
Jan 29, 2023
Impact
When calling
DefaultHttpHeaders.set
with an iterator of values (as opposed to a single given value), header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting.Patches
The necessary validation was added in Netty 4.1.86.Final.
Workarounds
Integrators can work around the issue by changing the
DefaultHttpHeaders.set(CharSequence, Iterator<?>)
call, into aremove()
call, and calladd()
in a loop over the iterator of values.References
HTTP Response Splitting
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers
For more information
If you have any questions or comments about this advisory:
References