{"id":"CVE-2015-2156","details":"Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.","aliases":["GHSA-xfv3-rrfm-f2rv"],"modified":"2026-04-10T15:29:14.858408069Z","published":"2017-10-18T15:29:00Z","related":["CGA-w6c4-7fwq-mwj8"],"references":[{"type":"ADVISORY","url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html"},{"type":"ADVISORY","url":"http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html"},{"type":"ADVISORY","url":"http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2015/05/17/1"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/74704"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1222923"},{"type":"ADVISORY","url":"https://github.com/netty/netty/pull/3754"},{"type":"ADVISORY","url":"https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2015/05/17/1"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1222923"},{"type":"WEB","url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}