CVE-2015-2156
Information Exposure in Netty
7.5
HIGH
CVSS 3.1
EPSS 3.3%
Description
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
How to fix CVE-2015-2156
To remediate CVE-2015-2156, upgrade the affected package to a fixed version below.
- —upgrade to 1:4.0.31-1 or later
- —upgrade to 3.10.3.Final or later
- —upgrade to 4.0.28.Final or later
- —upgrade to 3.9.8.Final or later
Is CVE-2015-2156 being exploited?
Low — EPSS is 3.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1:4.0.31-1
- >= 3.10.0, < 3.10.3.Final
- >= 4.0.0, < 4.0.28.Final
- from 0, < 3.9.8.Final
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |