CVE-2019-16771
Last modified
CVE-2019-16771 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. EPSS estimates a 0.98% chance of exploitation in the next 30 days.
Description
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linecorp | Armeria | >= 0.85.0, < 0.97.0 |
References
- https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20Patch, Vendor Advisory
- https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86Mailing List, Third Party Advisory
- https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20Patch, Vendor Advisory
- https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-16771?
How severe is CVE-2019-16771?
How do I fix CVE-2019-16771?
Are you affected by CVE-2019-16771?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST