CVE-2015-2156
high-risk
Published 2017-10-18
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Do I need to act?
~
3.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (24)
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
Vendor Advisory
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
Third Party Advisory
http://www.securityfocus.com/bid/74704
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
Third Party Advisory
https://github.com/netty/netty/pull/3754
Third Party Advisory
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypas...
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
Vendor Advisory
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
Third Party Advisory
http://www.securityfocus.com/bid/74704
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
Third Party Advisory
https://github.com/netty/netty/pull/3754
and 4 more references
64
/ 100
high-risk
Severity
26/34 · High
Exploitability
7/34 · Low
Exposure
31/34 · Critical