Note:
This project will be discontinued after December 13, 2021. [more]
2020-03-30
All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.
Products | Micronaut |
Type | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (CWE-444) |
First patch | - None (likely due to unavailable code) |
Links |
• https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm
• https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342 • https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1 |