Miggo Logo

CVE-2020-6858: HTTP Response Splitting in Styx

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.56386%
Published
3/3/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.hotels.styx:styx-apimaven<= 1.0.0.beta81.0.0-rc1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

Both functions directly disable Netty's security controls by passing 'false' to validation parameters:

  1. HttpHeaders.Builder constructor creates a vulnerable headers container used throughout the application
  2. StyxToNettyResponseTranslator finalizes responses without validation, making them susceptible to splitting attacks These would appear in profilers when handling untrusted header values, as shown in the PoC where CRLF sequences bypass validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Vuln*r**ility Styx is vuln*r**l* to *W*-***: Improp*r N*utr*liz*tion o* *RL* S*qu*n**s in *TTP *****rs (&#**;*TTP R*spons* Splittin*&#**;). # Vuln*r**l* *ompon*nt T** vuln*r**l* *ompon*nt is t** `*om.*ot*ls.styx.*pi.*ttp*****rs.*uil**r` *u* to *is

Reasoning

*ot* *un*tions *ir**tly *is**l* N*tty's s**urity *ontrols *y p*ssin* '**ls*' to v*li**tion p*r*m*t*rs: *. *ttp*****rs.*uil**r *onstru*tor *r**t*s * vuln*r**l* *****rs *ont*in*r us** t*rou**out t** *ppli**tion *. StyxToN*ttyR*spons*Tr*nsl*tor *in*liz*