High severity7.5NVD Advisory· Published Oct 18, 2017· Updated Jun 17, 2026
CVE-2015-2156
CVE-2015-2156
Description
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-parentMaven | >= 4.0.0, < 4.0.28.Final | 4.0.28.Final |
org.jboss.netty:nettyMaven | < 3.9.8.Final | 3.9.8.Final |
org.jboss.netty:nettyMaven | >= 3.10.0, < 3.10.3.Final | 3.10.3.Final |
io.netty:nettyMaven | >= 3.10.0, < 3.10.3.Final | 3.10.3.Final |
io.netty:nettyMaven | < 3.9.8.Final | 3.9.8.Final |
Affected products
114cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*+ 37 more
- cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:lightbend:play_framework:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*+ 35 more
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*range: <=3.9.7
- cpe:2.3:a:netty:netty:3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:4.1.0:beta4:*:*:*:*:*:*
cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*+ 35 more
- cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:beta:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:2.9.x-backport:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:rc1-2.9.x-backport:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:m3:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.2:rc4:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:playframework:play_framework:2.3:m1:*:*:*:*:*:*
- osv-coords4 versionspkg:apk/chainguard/hadoop-fips-3.3.6pkg:maven/io.netty/nettypkg:maven/io.netty/netty-parentpkg:maven/org.jboss.netty/netty
< 3.3.6-r21+ 3 more
- (no CPE)range: < 3.3.6-r21
- (no CPE)range: >= 3.10.0, < 3.10.3.Final
- (no CPE)range: >= 4.0.0, < 4.0.28.Final
- (no CPE)range: < 3.9.8.Final
Patches
Vulnerability mechanics
References
22- lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.htmlnvdThird Party AdvisoryWEB
- netty.io/news/2015/05/08/3-9-8-Final-and-3.htmlnvdVendor AdvisoryWEB
- www.openwall.com/lists/oss-security/2015/05/17/1nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/74704nvdThird Party AdvisoryVDB EntryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-xfv3-rrfm-f2rvghsaADVISORY
- github.com/netty/netty/pull/3754nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-2156ghsaADVISORY
- www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypassnvdThird Party AdvisoryWEB
- github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55ghsaWEB
- github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752ghsaWEB
- github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9ghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
- snyk.io/vuln/SNYK-JAVA-IONETTY-73571ghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Envd
- lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3%40%3Ccommits.cassandra.apache.org%3Envd
- lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769%40%3Ccommits.cassandra.apache.org%3Envd
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Envd
News mentions
0No linked articles in our index yet.