[{"vendor":"n/a","product":"io.jooby:jooby-netty","versions":[{"version":"unspecified","lessThan":"1.6.9","versionType":"custom","status":"affected"},{"version":"2.0.0","lessThan":"unspecified","versionType":"custom","status":"affected"},{"version":"unspecified","lessThan":"2.2.1","versionType":"custom","status":"affected"}]}]

https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4

https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j

https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249

NIST NVD-CWE-Other

NIST CWE-74

OR
     *cpe:2.3:a:jooby:jooby:*:*:*:*:*:*:*:* versions up to (excluding) 2.2.1

OR
     *cpe:2.3:a:jooby:jooby:*:*:*:*:*:*:*:* versions up to (excluding) 1.6.9
     *cpe:2.3:a:jooby:jooby:*:*:*:*:*:*:*:* versions from (including) 2.0.0 up to (excluding) 2.2.1

https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4 No Types Assigned

https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4 Patch, Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249 Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249 Patch, Third Party Advisory

All versions of Jooby before 2.2.1 are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.

This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.

Snyk AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

https://github.com/jooby-project/jooby/commit/b66e3342cf95205324023cfdf2cb5811e8a6dcf4 [No Types Assigned]

CWE-444

CWE-74

NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NIST (AV:N/AC:L/Au:N/C:P/I:P/A:P)

NIST CWE-444

OR
     *cpe:2.3:a:jooby:jooby:*:*:*:*:*:*:*:* versions up to (excluding) 2.2.1

https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j No Types Assigned

https://github.com/jooby-project/jooby/security/advisories/GHSA-gv3v-92v6-m48j Exploit, Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249 No Types Assigned

https://snyk.io/vuln/SNYK-JAVA-IOJOOBY-564249 Third Party Advisory

All versions before 2.2.1 are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.

All versions of Jooby before 2.2.1 are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.