Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2020-7622 |
CWE-ID | CWE-444 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Jooby Server applications / Frameworks for developing and running applications |
Vendor | Jooby Project |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU30314
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-7622
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
All versions of Jooby before 2.2.1 are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
MitigationInstall update from vendor's website.
Vulnerable software versionsJooby: 2.2.0
External linkshttp://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
http://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.