CVE-2022-41915

NameCVE-2022-41915
DescriptionNetty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3268-1, DSA-5316-1
Debian Bugs1027180

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)bullseye (security), bullseye1:4.1.48-4+deb11u2fixed
bookworm, bookworm (security)1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysourcebuster1:4.1.33-1+deb10u3DLA-3268-1
nettysourcebullseye1:4.1.48-4+deb11u1DSA-5316-1
nettysource(unstable)1:4.1.48-61027180

Notes

https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
Fixed by https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 (netty-4.1.86.Final)

Search for package or bug name: Reporting problems