CVE-2019-16771 Information

Description

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement cache poisoning Cross-site scripting (XSS) and page hijacking.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference

https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20 https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.5