Improper Neutralization of CRLF Sequences in HTTP Headers in Versions of Armeria 0.85.0 through and including 0.96.0

Overview :

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

Affected Product(s) :

Versions of Armeria 0.85.0 through and including 0.96.0

Vulnerability Details :

CVE ID :

CVE-2019-16771

Impact

Cross-User Defacement
Cache Poisoning
Cross-Site Scripting (XSS)
Page Hijacking

Root Cause

The root cause is due to the usage of Netty without the HTTP header validation.

Remediation / Fixes :

This vulnerability has been patched in 0.97.0.

Contact us to get started

CVE-2024-48889 : FORTINET FORTIMANAGER UP TO 6.4.14/7.0.12/7.2.7/7.4.4/7.6.0 FGFM REQUEST OS COMMAND INJECTION

Description An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiManager version

Learn more

CVE-2023-34990 : FORTINET FORTIWLM UP TO 8.5.4/8.6.5 WEB REQUEST PATH TRAVERSAL

Description A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute

Learn more

CVE-2024-47104 : IBM I 7.4/7.5 PHYSICAL FILE SECURITY ATTRIBUTES PERMISSION ASSIGNMENT

Description IBM i 7.4 and 7.5 is vulnerable to an authenticated user gaining elevated privilege to a physical file. A

Learn more