CVE-2019-16771

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

CVSS v3 4.8 MEDIUM
CVSS v2.0 5.0 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20	Patch Vendor Advisory
https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86	Mailing List Third Party Advisory
https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20	Patch Vendor Advisory
https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linecorp:armeria:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:31

Type	Values Removed	Values Added
CVSS	v2 : ~~5.0~~ v3 : ~~6.5~~	v2 : 5.0 v3 : 4.8
References	~~() https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20 - Patch, Vendor Advisory~~	() https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20 - Patch, Vendor Advisory
References	~~() https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86 - Mailing List, Third Party Advisory~~	() https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86 - Mailing List, Third Party Advisory

Information

Published : 2019-12-06 19:15

Updated : 2024-11-21 04:31

NVD link : CVE-2019-16771

Mitre link : CVE-2019-16771

CVE.ORG link : CVE-2019-16771

JSON object : View

Products Affected

linecorp

armeria

CWE

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

4.8 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-16771

4.8^/10

5.0^/10

Attach tags to `CVE-2019-16771`