VDB
CVE-2015-2156
CVE-2015-2156
PUBLISHED
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
EPSS 3.27% · 87.4th percentile
Risk Scores
EPSS Score
3.27%
87.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:14.04:LTS | netty | 1:3.2.6.Final-2, 1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1, 0 |
| Ubuntu:16.04:LTS | netty-3.9 | 0, 3.9.0.Final-1, 3.9.0.Final-1ubuntu0.1 |
Exploit Intelligence
- https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html (circl)
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320 (circl)
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321 (circl)
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322 (circl)
- https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos (circl)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/ (circl)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/ (circl)
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044 (circl)
- CIRCL published-proof-of-concept: CVE-2023-26116 (circl-sighting)
- CIRCL seen: CVE-2023-26116 (circl-sighting)
…and 8 more exploits
Timeline
- Oct 18, 2017 CVE Published
- Sep 22, 2021 CVE Updated
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 30, 2023 PoC Published
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2015-2156 third-party-advisory
- http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html third-party-advisory
- https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass third-party-advisory
- http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156 third-party-advisory
- https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2015-2156 third-party-advisory