1233640 – CVE-2015-2156 Netty Cookie parsing logic was patched upstream

Bug 1233640 - CVE-2015-2156 Netty Cookie parsing logic was patched upstream

Summary: CVE-2015-2156 Netty Cookie parsing logic was patched upstream

Keywords:
Status:	CLOSED DUPLICATE of bug 1234173
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	HornetQ
Sub Component:
Version:	6.4.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	jboss-set
QA Contact:	Miroslav Novak
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2015-2156
TreeView+	depends on / blocked

Reported:	2015-06-19 10:43 UTC by Jason Shepherd
Modified:	2015-06-22 00:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-06-22 00:07:54 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1222923	0	low	CLOSED	CVE-2015-2156 netty: HttpOnly cookie bypass	2021-02-22 00:41:40 UTC

Description Jason Shepherd 2015-06-19 10:43:52 UTC

Description of problem:

Netty was patched upstream so that cookies are correctly parsed. This vulnerability could lead to XSS if using Netty as HTTP Server, which is not the intended use in EAP

See CVE-2015-2156 for more details.


Version-Release number of selected component (if applicable):

5.2.x, and 6.x

Comment 1 Jason Shepherd 2015-06-22 00:07:54 UTC


*** This bug has been marked as a duplicate of bug 1234173 ***

Note You need to log in before you can comment on or make changes to this bug.