{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-05-08T00:00:00", "descriptions": [{"lang": "en", "value": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-16T01:07:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass"}, {"name": "FEDORA-2015-8713", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/pull/3754"}, {"name": "FEDORA-2015-8684", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html"}, {"name": "74704", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74704"}, {"name": "[oss-security] 20150516 Netty/Play's Security Updates (CVE-2015-2156)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1"}, {"name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"}, {"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20191114 [jira] [Commented] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2156", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html", "refsource": "CONFIRM", "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html"}, {"name": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass", "refsource": "MISC", "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass"}, {"name": "FEDORA-2015-8713", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923"}, {"name": "https://github.com/netty/netty/pull/3754", "refsource": "CONFIRM", "url": "https://github.com/netty/netty/pull/3754"}, {"name": "FEDORA-2015-8684", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html"}, {"name": "74704", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74704"}, {"name": "[oss-security] 20150516 Netty/Play's Security Updates (CVE-2015-2156)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1"}, {"name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E"}, {"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20191114 [jira] [Commented] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E"}, {"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:10:14.283Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass"}, {"name": "FEDORA-2015-8713", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/netty/netty/pull/3754"}, {"name": "FEDORA-2015-8684", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html"}, {"name": "74704", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74704"}, {"name": "[oss-security] 20150516 Netty/Play's Security Updates (CVE-2015-2156)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1"}, {"name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"}, {"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20191114 [jira] [Commented] (CASSANDRA-15423) CVE-2015-2156 (Netty is vulnerable to Information Disclosure)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2156", "datePublished": "2017-10-18T15:00:00", "dateReserved": "2015-02-28T00:00:00", "dateUpdated": "2024-08-06T05:10:14.283Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE9BE4D2-0AF8-4825-9108-52EF8BD6C7B5", "versionEndIncluding": "3.9.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:3.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "66A094D1-826C-4DCF-BF8F-0AA0F8A5CC5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:3.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "3F5609AE-1F05-4EDC-844F-E357BE1E02B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:3.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "39F54228-AE67-4A7E-9C2F-99D3754CC8CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "069A7F48-DDF9-4C29-829F-63480AC8252A", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "1657CCDD-547C-462F-84A6-5C7897A0DE3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "48DEF144-095B-4A16-B1A0-540FFCB0571D", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "34811757-A83B-4177-B256-17C75669CB4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "2F0B1676-F16F-49CB-A1D2-961236B29FB5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "9D5B2C70-1CA5-4285-B85A-C01A1F0D256F", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "4223B041-EA1F-4EF5-9C56-93B47426D634", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "3CC66E4C-0291-4F01-B6FF-1E6ABFFE3DD3", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "3FF070FD-09A2-453C-ABB0-57806785AC0B", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "2DB8331D-6E3B-419A-A5D1-7FCA56B01D9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "A78B72B6-389E-4EE4-86D4-9C8499BAF7CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "79C9F0BF-82E7-4E8D-81E0-8BE38AC892FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "638159B5-DCB2-48F2-B98C-D02AA4B55567", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "8DD72B11-80BE-4EE8-8350-E84A4DE19A14", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.14:*:*:*:*:*:*:*", "matchCriteriaId": "938E8F20-809C-41CF-90B3-16C4FA22BE7D", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.15:*:*:*:*:*:*:*", "matchCriteriaId": "7ECC0699-8544-4D5E-ACF9-C09A5EF7C6A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.16:*:*:*:*:*:*:*", "matchCriteriaId": "3947E2CD-9E5C-4D8F-970E-9AFCEBB9BEA6", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.17:*:*:*:*:*:*:*", "matchCriteriaId": "D14F96ED-9B74-446A-BDAA-37DA46BF1C52", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "490A338C-50BB-4292-B3E3-EBCB4D2A89F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.19:*:*:*:*:*:*:*", "matchCriteriaId": "6F11CDD4-F2C1-4019-AF12-F2F31A5A36AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.20:*:*:*:*:*:*:*", "matchCriteriaId": "8F172E1C-0264-4241-988D-7EB38188E029", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.21:*:*:*:*:*:*:*", "matchCriteriaId": "07F517E7-0C8B-4562-ABF7-F2B5B1BA682E", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.22:*:*:*:*:*:*:*", "matchCriteriaId": "C776C471-B66F-4349-B7E9-D59012B53BC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.23:*:*:*:*:*:*:*", "matchCriteriaId": "D4D796E9-9D65-4E1B-91DA-5CBC829A4516", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.24:*:*:*:*:*:*:*", "matchCriteriaId": "F64F7398-0C92-459B-809D-7BA543AEF058", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.25:*:*:*:*:*:*:*", "matchCriteriaId": "316B7A3D-69B4-4F9B-80A6-AB9858E01743", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.26:*:*:*:*:*:*:*", "matchCriteriaId": "C9B6111A-96A4-4E6F-B6C4-D0B85DD2CFAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*", "matchCriteriaId": "CAF6D60E-C9FD-4A73-ACB8-06500ADD8486", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "8E71050A-DFA2-41E5-9544-5DFF5453B4EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "0CE17333-AA06-4AD0-AFE0-B240BD22597C", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.1.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "62D878A0-678F-4D36-89B6-D9957EF8FC16", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:4.1.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "11F45B0B-5D3E-48ED-A969-1EB8E9258A7D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lightbend:play_framework:2.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "9CBDD885-76D8-4A44-839F-7161A319CD21", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "CCCCBA8E-471B-4EE7-99D1-FCF228F396E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "95760FF9-A33C-4794-9585-79F29FF8218D", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "49CEACD0-279B-418D-8679-22D6CD18CCC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8DFEB1B-2BC6-4A81-9D97-232D6BB51BAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "4366138D-B4BC-450B-A52E-EA46CC9A2F5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "3E48B60E-F85B-4DC6-806A-94D424D4E7C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "F3F1ADCB-FDE4-4C43-BFEB-EA81524C1D56", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "7136FA34-EF5E-4F7B-8E78-85EA9B018758", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "E350767E-C5CD-4B3E-B70C-0D166B66F64E", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "80DC4D2F-CCEE-4227-A76F-F9B339E298C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "C4555E3D-B28A-4D7F-8322-8C93E055A41F", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "4A2EFEFB-CC1C-4453-9CAC-D37063E1D851", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "A202AEE2-B1B7-49BD-BA91-98A71E7FA5B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "36E51880-F5E5-47D6-BA90-B4C6E8ADE962", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "A3C80F35-3B8E-4F7D-9C6B-21585F2516E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "8763EA91-CF68-4142-9F0F-F16AA9CF0011", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "1535A9FA-42C2-40B6-96E6-CDBCE6F54076", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3C5F034A-E343-4285-A7EB-FC60F12F73AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "6F351418-832C-4994-B3BF-B0F0152EE810", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.1.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "F03EAA0F-848C-4FCF-927E-DAFAFFA7641C", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "932C1D92-71AC-4520-A296-503BF0764E94", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "F36EA7C0-669E-4D87-9E9C-FA3CEE565EEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "80ED9605-6D97-4DB2-96A2-C5F0BD6DDF2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "3E3107A2-7BA5-4490-98C4-A4FC127C07CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "3287C930-7E89-4FE9-9570-7D05A8727AAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "475F2D6C-A82A-4607-AEEA-EB16DC7F3EEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "81BCC634-6424-4D53-AE78-F00782F290DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "EA9A457C-DA32-4094-9EF7-5DCBA4904CF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "95DE19B0-FDFD-4556-96F4-6D9470904F75", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "89244DD5-3EA1-471F-B678-A6921D17A804", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "96B59DC4-58BB-424C-BEFD-DF7E43E39C21", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "6CEFD24F-A241-44A7-9C2D-128F5C5F69BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "D286954C-BD26-4433-84D3-D0F37B61BB4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "EA2718B3-AE02-4C76-A17F-22B72016681A", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "6F869944-14A6-4C7A-A096-7ABB0740B7B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "05A936F4-7FC3-45CD-AEBB-5DF105A5D698", "vulnerable": true}, {"criteria": "cpe:2.3:a:lightbend:play_framework:2.3.8:*:*:*:*:*:*:*", "matchCriteriaId": "E6EDA101-F379-4CE9-83FA-1F85A501EA30", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6DB9E2FF-60E9-4AF7-8893-688FD90C20BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.0:beta:*:*:*:*:*:*", "matchCriteriaId": "52FEDFA6-7774-4946-86D7-5A2E9E727D01", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "22061490-43D6-4793-A150-6159A979F586", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "2D4E1C16-BE0D-4E09-9E44-FE85A9D04568", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "856EF408-705A-48B9-B806-2AA5EE52984E", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.1:2.9.x-backport:*:*:*:*:*:*", "matchCriteriaId": "E2E88D11-966D-4273-AE80-A8ADD93F7E33", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.1:rc1-2.9.x-backport:*:*:*:*:*:*", "matchCriteriaId": "67A73F1E-3203-4EDE-A5FF-8225CCAEC652", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "23F4DA74-514C-433E-BE4F-756002431D2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "344B07EE-75F3-4794-8AFB-C68E26AECBC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "CCCB3504-8E6E-4825-A45B-EE1D5DBED376", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "085836CB-4832-4CBF-B2BB-E606C0F5261A", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "021F9BAB-1DAD-49EE-8F37-1E4155F8C32E", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "81FFB9E4-0CDB-4F9F-AAFC-5BAE1A2B7E5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "EC833EB6-FEE5-4A65-96E1-02E781D11354", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "FE38FB18-831C-4260-A70E-85FFB4048A90", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "28889691-9C50-4E80-8893-F4A04176D881", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "87AE18E4-42C2-4827-807D-E9FAA6AA6685", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "2A97A5A4-8D69-4514-9FF2-C7D7D2FF3FAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "ADB3F1A0-13DE-40F0-A368-D7967706054F", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.1.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "04CE71EA-2251-4860-8343-68E89FB00507", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.0:m1:*:*:*:*:*:*", "matchCriteriaId": "290E178F-F7F3-42B3-8B0F-B596F556646A", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.0:m2:*:*:*:*:*:*", "matchCriteriaId": "882AB7C8-2823-4FA7-95A7-D116421A055E", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.0:m3:*:*:*:*:*:*", "matchCriteriaId": "C57FF361-2274-4F9A-AD5A-BB0626BF7D68", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F6C36CCE-6B7B-4346-81B2-40ACE8F2EE63", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "947EF76E-2155-4191-AD7E-26A34B733B6A", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "36149A37-5BF7-41EC-AD65-34F5DAFFC64B", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "407B15E5-5355-4AE0-98E1-26B7C60D77A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "28A72C43-6033-4E99-BF41-513E4C69E2D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "2E54E70F-8F06-4558-B725-045B379D6279", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.2:rc4:*:*:*:*:*:*", "matchCriteriaId": "A8061B89-3B8D-4D38-9DA8-A52EC97CF966", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "D664F3EF-B07F-47BC-A9CF-6CD22CF73D98", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "878003F7-7BE7-473A-B0B7-1C26A9A02D89", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A2114F67-E72F-4559-8921-7567F0985ED0", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "C991464B-52D4-4F70-91CE-E5FFDFCC6DD6", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "2EDCCE92-D85D-453B-B13B-52FC888F340A", "vulnerable": true}, {"criteria": "cpe:2.3:a:playframework:play_framework:2.3:m1:*:*:*:*:*:*", "matchCriteriaId": "8CEE3098-76E1-4734-9292-09EE7FB13044", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters."}, {"lang": "es", "value": "Netty en versiones anteriores a la 3.9.8.Final, 3.10.x anteriores a la 3.10.3.Final, 4.0.x anteriores a la 4.0.28.Final y 4.1.x anteriores a la 4.1.0.Beta5 y Play Framework 2.x en versiones anteriores a la 2.3.9 podr\u00eda permitir que atacantes remotos omitan el indicador httpOnly en las cookies y obtengan informaci\u00f3n sensible aprovechando la validaci\u00f3n incorrecta del nombre de la cookie y los caracteres del valor."}], "id": "CVE-2015-2156", "lastModified": "2023-11-07T02:25:09.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-18T15:29:00.173", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/74704"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/netty/netty/pull/3754"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "netty: HttpOnly cookie bypass", "id": "1222923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters."], "name": "CVE-2015-2156", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "netty", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "eds-5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "ewp-5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-esb-7.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "netty", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2015-05-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-2156\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-2156\nhttp://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156\nhttps://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass"], "threat_severity": "Low", "upstream_fix": "netty 3.9.8.Final, netty 3.10.3.Final"}