Search for vulnerabilities
Vulnerability details: VCID-es3s-xjbh-wbas
Vulnerability ID VCID-es3s-xjbh-wbas
Aliases CVE-2015-2156
GHSA-xfv3-rrfm-f2rv
Summary Information Exposure in Netty Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
cvssv3.1 7.5 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
generic_textual HIGH http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
cvssv3.1 7.5 http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
generic_textual HIGH http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
epss 0.0223 https://api.first.org/data/v1/epss?cve=CVE-2015-2156
cvssv3.1 7.5 https://bugzilla.redhat.com/show_bug.cgi?id=1222923
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=1222923
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xfv3-rrfm-f2rv
cvssv3.1 7.5 https://github.com/netty/netty
generic_textual HIGH https://github.com/netty/netty
cvssv3.1 7.5 https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
generic_textual HIGH https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
cvssv3.1 7.5 https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
generic_textual HIGH https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
cvssv3.1 7.5 https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
generic_textual HIGH https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
cvssv3.1 7.5 https://github.com/netty/netty/pull/3754
generic_textual HIGH https://github.com/netty/netty/pull/3754
cvssv3.1 7.5 https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
cvssv3.1 7.5 https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
cvssv3.1 7.5 https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
cvssv3.1 7.5 https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2015-2156
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2015-2156
cvssv3.1 7.5 https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
generic_textual HIGH https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
cvssv3.1 7.5 https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
generic_textual HIGH https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2015/05/17/1
generic_textual HIGH http://www.openwall.com/lists/oss-security/2015/05/17/1
cvssv3.1 7.5 http://www.securityfocus.com/bid/74704
generic_textual HIGH http://www.securityfocus.com/bid/74704
Reference id Reference type URL
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-2156.json
https://api.first.org/data/v1/epss?cve=CVE-2015-2156
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
https://github.com/netty/netty
https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
https://github.com/netty/netty/pull/3754
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2015-2156
https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
http://www.openwall.com/lists/oss-security/2015/05/17/1
http://www.securityfocus.com/bid/74704
646523 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646523
GHSA-xfv3-rrfm-f2rv https://github.com/advisories/GHSA-xfv3-rrfm-f2rv
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=1222923
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty/pull/3754
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2015-2156
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2015/05/17/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.securityfocus.com/bid/74704
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.83793
EPSS Score 0.0223
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:17:27.602001+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json 36.1.3