Improper Neutralization of CRLF Sequences in HTTP Headers in Versions of Armeria 0.85.0 through and including 0.96.0

Overview :

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

Affected Product(s) :

Versions of Armeria 0.85.0 through and including 0.96.0

Vulnerability Details :

CVE ID :

CVE-2019-16771

Impact

Cross-User Defacement
Cache Poisoning
Cross-Site Scripting (XSS)
Page Hijacking

Root Cause

The root cause is due to the usage of Netty without the HTTP header validation.

Remediation / Fixes :

This vulnerability has been patched in 0.97.0.

Contact us to get started

CVE-2024-20418 : CISCO IOS XE CONTROLLER WEB-BASED MANAGEMENT INTERFACE COMMAND INJECTION

Description A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB)

Learn more

CVE-2024-20536 : CISCO DATA CENTER NETWORK MANAGER 12.1.2E/12.1.2P/12.1.3B WEB-BASED MANAGEMENT INTERFACE/REST API ENDPOINT SQL INJECTION

Description A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could

Learn more

CVE-2024-50340 : SYMFONY INJECTION

Description symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the

Learn more