vulnerability

Debian: CVE-2022-41915: netty -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	Dec 13, 2022	Jan 13, 2023	Aug 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Dec 13, 2022

Added

Jan 13, 2023

Modified

Aug 15, 2025

Description

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

Solution

debian-upgrade-netty

References

CVE-2022-41915
https://attackerkb.com/topics/CVE-2022-41915
CWE-113
CWE-436
DEBIAN-DLA-3268-1
DEBIAN-DSA-5316
DEBIAN-DSA-5316-1

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today