Description
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249
Patch, Third Party Advisory x_refsource_misc
https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4
Exploit, Third Party Advisory x_refsource_misc
https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
Scores
CVSS v3
6.5
EPSS
0.0045
EPSS Percentile
63.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
Status
published
Products (2)
io.jooby/jooby-netty
0 - 2.2.1Maven
jooby/jooby
< 1.6.9
Published
Apr 06, 2020
Tracked Since
Feb 18, 2026