VYPR
High severity7.5NVD Advisory· Published Oct 18, 2017· Updated Jun 17, 2026

CVE-2015-2156

CVE-2015-2156

Description

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.netty:netty-parentMaven
>= 4.0.0, < 4.0.28.Final4.0.28.Final
org.jboss.netty:nettyMaven
< 3.9.8.Final3.9.8.Final
org.jboss.netty:nettyMaven
>= 3.10.0, < 3.10.3.Final3.10.3.Final
io.netty:nettyMaven
>= 3.10.0, < 3.10.3.Final3.10.3.Final
io.netty:nettyMaven
< 3.9.8.Final3.9.8.Final

Affected products

114
  • cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*+ 37 more
    • cpe:2.3:a:lightbend:play_framework:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.2:rc2:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.3:rc2:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.4:rc1:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.4:rc2:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.5:rc2:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.1.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.2:rc2:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:lightbend:play_framework:2.3.8:*:*:*:*:*:*:*
  • Netty/Netty36 versions
    cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*+ 35 more
    • cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*range: <=3.9.7
    • cpe:2.3:a:netty:netty:3.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:3.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:3.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.26:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.1.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.1.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.1.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:netty:netty:4.1.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*+ 35 more
    • cpe:2.3:a:playframework:play_framework:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.1:2.9.x-backport:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.1:rc1-2.9.x-backport:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.1:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.2:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.3:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.4:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.4:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.1.6:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.0:m1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.0:m2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.0:m3:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.2:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.2:rc3:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.2:rc4:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.3:rc2:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:playframework:play_framework:2.3:m1:*:*:*:*:*:*
  • osv-coords4 versions
    < 3.3.6-r21+ 3 more
    • (no CPE)range: < 3.3.6-r21
    • (no CPE)range: >= 3.10.0, < 3.10.3.Final
    • (no CPE)range: >= 4.0.0, < 4.0.28.Final
    • (no CPE)range: < 3.9.8.Final

Patches

Vulnerability mechanics

References

22

News mentions

0

No linked articles in our index yet.