{"id":"UBUNTU-CVE-2015-2156","details":"Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.","modified":"2025-10-24T04:45:20Z","published":"2017-10-18T15:29:00Z","upstream":["CVE-2015-2156"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-2156"},{"type":"REPORT","url":"http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html"},{"type":"REPORT","url":"https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass"},{"type":"REPORT","url":"http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156"},{"type":"REPORT","url":"https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2015-2156"}],"affected":[{"package":{"name":"netty","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/netty@1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:3.2.6.Final-2","1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1","binary_name":"libnetty-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2015/UBUNTU-CVE-2015-2156.json"}},{"package":{"name":"netty-3.9","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/netty-3.9@3.9.0.Final-1ubuntu0.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.9.0.Final-1","3.9.0.Final-1ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.9.0.Final-1ubuntu0.1","binary_name":"libnetty-3.9-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2015/UBUNTU-CVE-2015-2156.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}