Main Vulnerability Database Vulnerabilities #VU30314

Inconsistent interpretation of HTTP requests in Jooby - CVE-2020-7622

Published: April 6, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30314

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2020-7622

CWE-ID: CWE-444

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jooby Project

Affected software:
Jooby

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

All versions of Jooby before 2.2.1 are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.

How to mitigate CVE-2020-7622

Install update from vendor's website.

Sources

https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j
https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249

Inconsistent interpretation of HTTP requests in Jooby - CVE-2020-7622

Detailed vulnerability description

How to mitigate CVE-2020-7622

Sources

Please verify you're human