CVE-2020-7622: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2020-7622 affects the package io.jooby:jooby-netty before version 1.6.9, and versions from 2.0.0 to before 2.2.1. The issue was disclosed on April 6, 2020, and involves improper neutralization of CRLF sequences in HTTP headers, also known as HTTP Response Splitting (GitHub Advisory, Snyk Report).

The vulnerability stems from the DefaultHttpHeaders being set to false in the Jooby codebase, specifically in the NettyContext.java file. This configuration means that the header validation for HTTP Response Splitting is disabled. The issue was identified in the line 'final DefaultHttpHeaders setHeaders = new DefaultHttpHeaders(false)' (GitHub Commit). The vulnerability has been assigned a CVSS base score of 6.5 (medium) by Snyk and 9.8 (critical) by NVD (Snyk Report).

The vulnerability can lead to several security issues including Cross-Site Scripting, Cache Poisoning, and Page Hijacking. When exploited, it allows attackers to modify data, though with limited control over the consequences. There is also potential for some loss of confidentiality, where access to restricted information might be obtained (GitHub Advisory, Snyk Report).

The vulnerability was fixed in version 2.2.1 of the package. For users unable to update, it is recommended to ensure that user-supplied data cannot flow to HTTP headers. If user data must be used in headers, it should be pre-sanitized for CRLF characters (GitHub Advisory).

The vulnerability was discovered and reported by security researcher Jonathan Leitschuh, who had been investigating libraries for HTTP Response Splitting vulnerabilities. Jooby was the third case where this type of vulnerability was identified (GitHub Advisory).