CVE-2022-41915

MEDIUM

Netty < 4.1.86 - Interpretation Conflict

Title source: rule

Description

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

References (7)

[Patch, Third Party Advisory] https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/netty/netty/issues/13084

[Patch, Third Party Advisory] https://github.com/netty/netty/pull/12760

[Mitigation, Third Party Advisory] https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230113-0004/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5316

Scores

CVSS v3 6.5

EPSS 0.0056

EPSS Percentile 68.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-113 CWE-436

Status published

Products (4)

debian/debian_linux 10.0

debian/debian_linux 11.0

io.netty/netty-codec-http 4.1.83.Final - 4.1.86.FinalMaven

netty/netty 4.1.83 - 4.1.86

Published Dec 13, 2022

Tracked Since Feb 18, 2026