CVE-2019-16771 MEDIUM

CVE-2019-16771: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria

Vendor Line
Product Armeria
Weakness CWE-113 · HTTP response splitting
Published December 6, 2019
Last update August 5, 2024

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

Key dates

02Disclosure timeline

December 6, 2019 CVE published
August 5, 2024 Record updated