CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

CVSS v3 7.5 HIGH
CVSS v2.0 4.3 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html	Third Party Advisory
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html	Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/05/17/1	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/74704	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1222923	Issue Tracking Third Party Advisory
https://github.com/netty/netty/pull/3754	Third Party Advisory
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:netty:netty::::::::
	cpe:2.3:a:netty:netty:3.10.0:::::::*
	cpe:2.3:a:netty:netty:3.10.1:::::::*
	cpe:2.3:a:netty:netty:3.10.2:::::::*
	cpe:2.3:a:netty:netty:4.0.0:::::::*
	cpe:2.3:a:netty:netty:4.0.1:::::::*
	cpe:2.3:a:netty:netty:4.0.2:::::::*
	cpe:2.3:a:netty:netty:4.0.3:::::::*
	cpe:2.3:a:netty:netty:4.0.4:::::::*
	cpe:2.3:a:netty:netty:4.0.5:::::::*
	cpe:2.3:a:netty:netty:4.0.6:::::::*
	cpe:2.3:a:netty:netty:4.0.7:::::::*
	cpe:2.3:a:netty:netty:4.0.8:::::::*
	cpe:2.3:a:netty:netty:4.0.9:::::::*
	cpe:2.3:a:netty:netty:4.0.10:::::::*
	cpe:2.3:a:netty:netty:4.0.11:::::::*
	cpe:2.3:a:netty:netty:4.0.12:::::::*
	cpe:2.3:a:netty:netty:4.0.13:::::::*
	cpe:2.3:a:netty:netty:4.0.14:::::::*
	cpe:2.3:a:netty:netty:4.0.15:::::::*
	cpe:2.3:a:netty:netty:4.0.16:::::::*
	cpe:2.3:a:netty:netty:4.0.17:::::::*
	cpe:2.3:a:netty:netty:4.0.18:::::::*
	cpe:2.3:a:netty:netty:4.0.19:::::::*
	cpe:2.3:a:netty:netty:4.0.20:::::::*
	cpe:2.3:a:netty:netty:4.0.21:::::::*
	cpe:2.3:a:netty:netty:4.0.22:::::::*
	cpe:2.3:a:netty:netty:4.0.23:::::::*
	cpe:2.3:a:netty:netty:4.0.24:::::::*
	cpe:2.3:a:netty:netty:4.0.25:::::::*
	cpe:2.3:a:netty:netty:4.0.26:::::::*
	cpe:2.3:a:netty:netty:4.0.27:::::::*
	cpe:2.3:a:netty:netty:4.1.0:beta1::::::
	cpe:2.3:a:netty:netty:4.1.0:beta2::::::
	cpe:2.3:a:netty:netty:4.1.0:beta3::::::
	cpe:2.3:a:netty:netty:4.1.0:beta4::::::

Configuration 2 (hide)

OR	cpe:2.3:a:lightbend:play_framework:2.0:rc3::::::
	cpe:2.3:a:lightbend:play_framework:2.0:rc4::::::
	cpe:2.3:a:lightbend:play_framework:2.0:rc5::::::
	cpe:2.3:a:lightbend:play_framework:2.0.2:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.2:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.2:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.3:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.3:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.3:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.4:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.4:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.4:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.5:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.5:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.5:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.6:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.7:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.8:::::::*
	cpe:2.3:a:lightbend:play_framework:2.1.0:::::::*
	cpe:2.3:a:lightbend:play_framework:2.1.1:::::::*
	cpe:2.3:a:lightbend:play_framework:2.1.1:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.2.0:::::::*
	cpe:2.3:a:lightbend:play_framework:2.2.1:::::::*
	cpe:2.3:a:lightbend:play_framework:2.2.2:::::::*
	cpe:2.3:a:lightbend:play_framework:2.2.6:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.0:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.0:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.3.0:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.3.1:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.2:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.2:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.3.2:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.3.3:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.4:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.5:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.6:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.7:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.8:::::::*
	cpe:2.3:a:playframework:play_framework:2.0:::::::*
	cpe:2.3:a:playframework:play_framework:2.0:beta::::::
	cpe:2.3:a:playframework:play_framework:2.0:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.0:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.0.1:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.1:2.9.x-backport::::::
	cpe:2.3:a:playframework:play_framework:2.1.1:rc1-2.9.x-backport::::::
	cpe:2.3:a:playframework:play_framework:2.1.1:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.2:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.2:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.1.2:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.3:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.3:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.1.3:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.4:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.4:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.1.4:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.5:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.6:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.6:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:m1::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:m2::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:m3::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.2.1:rc1::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc1::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc2::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc3::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc4::::::
cpe:2.3:a:playframework:play_framework:2.2.3:::::::*
cpe:2.3:a:playframework:play_framework:2.2.3:rc1::::::
cpe:2.3:a:playframework:play_framework:2.2.3:rc2::::::
cpe:2.3:a:playframework:play_framework:2.2.4:::::::*
cpe:2.3:a:playframework:play_framework:2.2.5:::::::*
cpe:2.3:a:playframework:play_framework:2.3:m1::::::

History

07 Nov 2023, 02:25

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E', 'name': '[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E', 'name': '[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E', 'name': '[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E', 'name': '[cassandra-commits] 20191114 [jira] [Commented] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)', 'tags': [], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E - () https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E - () https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E - () https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E -

Information

Published : 2017-10-18 15:29

Updated : 2023-12-10 12:15

NVD link : CVE-2015-2156

Mitre link : CVE-2015-2156

CVE.ORG link : CVE-2015-2156

JSON object : View

Products Affected

playframework

play_framework

lightbend

play_framework

netty

netty

CWE

CWE-20

Improper Input Validation

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2015-2156

7.5^/10

4.3^/10

Attach tags to `CVE-2015-2156`