VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-hhjt-y9d5-eugn

Essentials
Severities (36)
References (24)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-hhjt-y9d5-eugn
Aliases	CVE-2022-41915 GHSA-hh82-3pmq-7frp
Summary	Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-436	Interpretation Conflict
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-41915
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-hh82-3pmq-7frp
cvssv3.1	6.5	https://github.com/netty/netty
generic_textual	MODERATE	https://github.com/netty/netty
cvssv3.1	6.5	https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0
generic_textual	MODERATE	https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0
cvssv3.1	6.5	https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4
generic_textual	MODERATE	https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4
cvssv3.1	6.5	https://github.com/netty/netty/issues/13084
generic_textual	MODERATE	https://github.com/netty/netty/issues/13084
cvssv3.1	6.5	https://github.com/netty/netty/pull/12760
generic_textual	MODERATE	https://github.com/netty/netty/pull/12760
cvssv3.1	6.5	https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
cvssv3.1_qr	MODERATE	https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
generic_textual	MODERATE	https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
cvssv3.1	6.5	https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
generic_textual	MODERATE	https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2022-41915
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2022-41915
cvssv3.1	6.5	https://security.netapp.com/advisory/ntap-20230113-0004
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20230113-0004
cvssv3.1	6.5	https://www.debian.org/security/2023/dsa-5316
generic_textual	MODERATE	https://www.debian.org/security/2023/dsa-5316

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-41915
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37136
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37137
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43797
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41881
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41915
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/netty/netty
		https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0
		https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4
		https://github.com/netty/netty/issues/13084
		https://github.com/netty/netty/pull/12760
		https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
		https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
		https://nvd.nist.gov/vuln/detail/CVE-2022-41915
		https://security.netapp.com/advisory/ntap-20230113-0004
		https://security.netapp.com/advisory/ntap-20230113-0004/
		https://www.debian.org/security/2023/dsa-5316
1027180		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027180
cpe:2.3:a:netty:netty::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netty:netty::::::::
cpe:2.3:o:debian:debian_linux:10.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:debian:debian_linux:11.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:::::::*
GHSA-hh82-3pmq-7frp		https://github.com/advisories/GHSA-hh82-3pmq-7frp
USN-6049-1		https://usn.ubuntu.com/6049-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/netty/netty

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/netty/netty/issues/13084

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/netty/netty/pull/12760

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41915

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20230113-0004

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.debian.org/security/2023/dsa-5316

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.40168
EPSS Score	0.0018
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:12:17.021911+00:00	Ubuntu USN Importer	Import	https://usn.ubuntu.com/6049-1/	36.1.3