Inconsistent interpretation of HTTP requests in Jooby



Published: 2020-04-06 | Updated: 2020-07-17
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-7622
CWE-ID CWE-444
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Jooby
Server applications / Frameworks for developing and running applications

Vendor Jooby Project

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU30314

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7622

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

All versions of Jooby before 2.2.1 are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jooby: 2.2.0

External links

http://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
http://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###