{"api_version":"1","generated_at":"2026-04-23T02:37:47+00:00","cve":"CVE-2022-41915","urls":{"html":"https://cve.report/CVE-2022-41915","api":"https://cve.report/api/cve/CVE-2022-41915.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-41915","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-41915"},"summary":{"title":"CVE-2022-41915","description":"Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-12-13 07:15:00","updated_at":"2023-03-01 15:09:00"},"problem_types":["CWE-113","CWE-436"],"metrics":[],"references":[{"url":"https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp","name":"https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp","refsource":"MISC","tags":[],"title":"HTTP Response splitting from assigning header value iterator · Advisory · netty/netty · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html","name":"[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3268-1] netty security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4","name":"https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-hh82-3pmq-7frp · netty/netty@fe18adf · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2023/dsa-5316","name":"DSA-5316","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5316-1 netty","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/netty/netty/issues/13084","name":"https://github.com/netty/netty/issues/13084","refsource":"MISC","tags":[],"title":"CVE CVE-2022-41915: Incorrect range. Releases < 4.1.83.Final not affected · Issue #13084 · netty/netty · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/netty/netty/pull/12760","name":"https://github.com/netty/netty/pull/12760","refsource":"MISC","tags":[],"title":"Reject HTTP/2 header values with invalid characters by chrisvest · Pull Request #12760 · netty/netty · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230113-0004/","name":"https://security.netapp.com/advisory/ntap-20230113-0004/","refsource":"CONFIRM","tags":[],"title":"December 2022 Apache Netty Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-41915","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41915","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"41915","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"41915","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"41915","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netty","cpe5":"netty","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"41915","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netty","cpe5":"netty","cpe6":"4.1.86","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-41915","qid":"181469","title":"Debian Security Update for netty (DLA 3268-1)"},{"cve":"CVE-2022-41915","qid":"181471","title":"Debian Security Update for netty (DSA 5316-1)"},{"cve":"CVE-2022-41915","qid":"183803","title":"Debian Security Update for netty (CVE-2022-41915)"},{"cve":"CVE-2022-41915","qid":"199574","title":"Ubuntu Security Notification for Netty Vulnerabilities (USN-6049-1)"},{"cve":"CVE-2022-41915","qid":"753971","title":"SUSE Enterprise Linux Security Update for netty, netty-tcnative (SUSE-SU-2023:2096-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-41915","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"source":{"advisory":"GHSA-hh82-3pmq-7frp","discovery":"UNKNOWN"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"netty","product":{"product_data":[{"product_name":"netty","version":{"version_data":[{"version_name":"4.1.86.Final","version_affected":"<","version_value":"4.1.86.Final","platform":""},{"version_name":"4.1.83.Final","version_affected":">=","version_value":"4.1.83.Final","platform":""}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-436: Interpretation Conflict","cweId":"CWE-436"}]},{"description":[{"lang":"eng","value":"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')","cweId":"CWE-113"}]}]},"description":{"description_data":[{"lang":"eng","value":"Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values."}]},"references":{"reference_data":[{"refsource":"CONFIRM","url":"https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp","name":"https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp"},{"refsource":"MISC","url":"https://github.com/netty/netty/issues/13084","name":"https://github.com/netty/netty/issues/13084"},{"refsource":"MISC","url":"https://github.com/netty/netty/pull/12760","name":"https://github.com/netty/netty/pull/12760"},{"refsource":"MISC","url":"https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4","name":"https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"refsource":"DEBIAN","name":"DSA-5316","url":"https://www.debian.org/security/2023/dsa-5316"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230113-0004/","url":"https://security.netapp.com/advisory/ntap-20230113-0004/"}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM"}}},"nvd":{"publishedDate":"2022-12-13 07:15:00","lastModifiedDate":"2023-03-01 15:09:00","problem_types":["CWE-113","CWE-436"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":2.5}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.83","versionEndExcluding":"4.1.86","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}