CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

CVSS v3 7.5 HIGH
CVSS v2.0 4.3 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html	Third Party Advisory
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html	Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/05/17/1	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/74704	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1222923	Issue Tracking Third Party Advisory
https://github.com/netty/netty/pull/3754	Third Party Advisory
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html	Third Party Advisory
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html	Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/05/17/1	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/74704	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1222923	Issue Tracking Third Party Advisory
https://github.com/netty/netty/pull/3754	Third Party Advisory
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:netty:netty::::::::
	cpe:2.3:a:netty:netty:3.10.0:::::::*
	cpe:2.3:a:netty:netty:3.10.1:::::::*
	cpe:2.3:a:netty:netty:3.10.2:::::::*
	cpe:2.3:a:netty:netty:4.0.0:::::::*
	cpe:2.3:a:netty:netty:4.0.1:::::::*
	cpe:2.3:a:netty:netty:4.0.2:::::::*
	cpe:2.3:a:netty:netty:4.0.3:::::::*
	cpe:2.3:a:netty:netty:4.0.4:::::::*
	cpe:2.3:a:netty:netty:4.0.5:::::::*
	cpe:2.3:a:netty:netty:4.0.6:::::::*
	cpe:2.3:a:netty:netty:4.0.7:::::::*
	cpe:2.3:a:netty:netty:4.0.8:::::::*
	cpe:2.3:a:netty:netty:4.0.9:::::::*
	cpe:2.3:a:netty:netty:4.0.10:::::::*
	cpe:2.3:a:netty:netty:4.0.11:::::::*
	cpe:2.3:a:netty:netty:4.0.12:::::::*
	cpe:2.3:a:netty:netty:4.0.13:::::::*
	cpe:2.3:a:netty:netty:4.0.14:::::::*
	cpe:2.3:a:netty:netty:4.0.15:::::::*
	cpe:2.3:a:netty:netty:4.0.16:::::::*
	cpe:2.3:a:netty:netty:4.0.17:::::::*
	cpe:2.3:a:netty:netty:4.0.18:::::::*
	cpe:2.3:a:netty:netty:4.0.19:::::::*
	cpe:2.3:a:netty:netty:4.0.20:::::::*
	cpe:2.3:a:netty:netty:4.0.21:::::::*
	cpe:2.3:a:netty:netty:4.0.22:::::::*
	cpe:2.3:a:netty:netty:4.0.23:::::::*
	cpe:2.3:a:netty:netty:4.0.24:::::::*
	cpe:2.3:a:netty:netty:4.0.25:::::::*
	cpe:2.3:a:netty:netty:4.0.26:::::::*
	cpe:2.3:a:netty:netty:4.0.27:::::::*
	cpe:2.3:a:netty:netty:4.1.0:beta1::::::
	cpe:2.3:a:netty:netty:4.1.0:beta2::::::
	cpe:2.3:a:netty:netty:4.1.0:beta3::::::
	cpe:2.3:a:netty:netty:4.1.0:beta4::::::

Configuration 2 (hide)

OR	cpe:2.3:a:lightbend:play_framework:2.0:rc3::::::
	cpe:2.3:a:lightbend:play_framework:2.0:rc4::::::
	cpe:2.3:a:lightbend:play_framework:2.0:rc5::::::
	cpe:2.3:a:lightbend:play_framework:2.0.2:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.2:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.2:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.3:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.3:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.3:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.4:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.4:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.4:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.5:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.5:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.0.5:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.0.6:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.7:::::::*
	cpe:2.3:a:lightbend:play_framework:2.0.8:::::::*
	cpe:2.3:a:lightbend:play_framework:2.1.0:::::::*
	cpe:2.3:a:lightbend:play_framework:2.1.1:::::::*
	cpe:2.3:a:lightbend:play_framework:2.1.1:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.2.0:::::::*
	cpe:2.3:a:lightbend:play_framework:2.2.1:::::::*
	cpe:2.3:a:lightbend:play_framework:2.2.2:::::::*
	cpe:2.3:a:lightbend:play_framework:2.2.6:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.0:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.0:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.3.0:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.3.1:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.2:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.2:rc1::::::
	cpe:2.3:a:lightbend:play_framework:2.3.2:rc2::::::
	cpe:2.3:a:lightbend:play_framework:2.3.3:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.4:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.5:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.6:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.7:::::::*
	cpe:2.3:a:lightbend:play_framework:2.3.8:::::::*
	cpe:2.3:a:playframework:play_framework:2.0:::::::*
	cpe:2.3:a:playframework:play_framework:2.0:beta::::::
	cpe:2.3:a:playframework:play_framework:2.0:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.0:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.0.1:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.1:2.9.x-backport::::::
	cpe:2.3:a:playframework:play_framework:2.1.1:rc1-2.9.x-backport::::::
	cpe:2.3:a:playframework:play_framework:2.1.1:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.2:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.2:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.1.2:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.3:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.3:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.1.3:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.4:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.4:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.1.4:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.1.5:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.6:::::::*
	cpe:2.3:a:playframework:play_framework:2.1.6:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:m1::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:m2::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:m3::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:rc1::::::
	cpe:2.3:a:playframework:play_framework:2.2.0:rc2::::::
	cpe:2.3:a:playframework:play_framework:2.2.1:rc1::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc1::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc2::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc3::::::
cpe:2.3:a:playframework:play_framework:2.2.2:rc4::::::
cpe:2.3:a:playframework:play_framework:2.2.3:::::::*
cpe:2.3:a:playframework:play_framework:2.2.3:rc1::::::
cpe:2.3:a:playframework:play_framework:2.2.3:rc2::::::
cpe:2.3:a:playframework:play_framework:2.2.4:::::::*
cpe:2.3:a:playframework:play_framework:2.2.5:::::::*
cpe:2.3:a:playframework:play_framework:2.3:m1::::::

History

No history.

Information

Published : 2017-10-18 15:29

Updated : 2025-04-20 01:37

NVD link : CVE-2015-2156

Mitre link : CVE-2015-2156

CVE.ORG link : CVE-2015-2156

JSON object : View

Products Affected

lightbend

play_framework

playframework

play_framework

netty

netty

CWE

CWE-20

Improper Input Validation

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2015-2156

7.5^/10

4.3^/10

Attach tags to `CVE-2015-2156`