CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2023-49082 (GCVE-0-2023-49082)
Vulnerability from cvelistv5 – Published: 2023-11-29 20:07 – Updated: 2025-11-04 18:19
VLAI
Title
aiohttp's ClientSession is vulnerable to CRLF injection via method
Summary
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
Severity
5.3 (Medium)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/aio-libs/aiohttp/security/advi… | x_refsource_CONFIRM |
| https://github.com/aio-libs/aiohttp/pull/7806/files | x_refsource_MISC |
| https://github.com/aio-libs/aiohttp/commit/e4ae01… | x_refsource_MISC |
| https://gist.github.com/jnovikov/7f411ae9fe6a9a78… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:19:35.587Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"
},
{
"name": "https://github.com/aio-libs/aiohttp/pull/7806/files",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aio-libs/aiohttp/pull/7806/files"
},
{
"name": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466"
},
{
"name": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aiohttp",
"vendor": "aio-libs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T14:11:02.945Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx"
},
{
"name": "https://github.com/aio-libs/aiohttp/pull/7806/files",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aio-libs/aiohttp/pull/7806/files"
},
{
"name": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466"
},
{
"name": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b",
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b"
}
],
"source": {
"advisory": "GHSA-qvrw-v9rv-5rjx",
"discovery": "UNKNOWN"
},
"title": "aiohttp\u0027s ClientSession is vulnerable to CRLF injection via method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49082",
"datePublished": "2023-11-29T20:07:29.341Z",
"dateReserved": "2023-11-21T18:57:30.428Z",
"dateUpdated": "2025-11-04T18:19:35.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1226 (GCVE-0-2024-1226)
Vulnerability from cvelistv5 – Published: 2024-03-12 15:07 – Updated: 2024-08-05 17:48
VLAI
Title
Multiple vulnerabilities in Rejetto's Http File Server
Summary
The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.
Severity
7.5 (High)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rejetto | Http File Server |
Affected:
2.2a, build #124
|
Date Public
2024-02-05 14:58
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.120Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rejetto:http_file_server:2.2a:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "http_file_server",
"vendor": "rejetto",
"versions": [
{
"status": "affected",
"version": "2.2a"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:41:01.852952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T17:48:59.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Http File Server ",
"vendor": "Rejetto ",
"versions": [
{
"status": "affected",
"version": "2.2a, build #124"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafael Pedrero"
}
],
"datePublic": "2024-02-05T14:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks."
}
],
"value": "The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-15",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-15 Command Delimiters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T15:07:22.921Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe vulnerability has been fixed in subsequent versions. The affected version is not currently supported.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nThe vulnerability has been fixed in subsequent versions. The affected version is not currently supported.\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multiple vulnerabilities in Rejetto\u0027s Http File Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-1226",
"datePublished": "2024-03-12T15:07:18.532Z",
"dateReserved": "2024-02-05T11:44:28.014Z",
"dateUpdated": "2024-08-05T17:48:59.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-20337 (GCVE-0-2024-20337)
Vulnerability from cvelistv5 – Published: 2024-03-06 16:30 – Updated: 2024-08-01 21:59
VLAI
Summary
A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.
Severity
8.2 (High)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Secure Client |
Affected:
4.9.00086
Affected: 4.9.01095 Affected: 4.9.02028 Affected: 4.9.03047 Affected: 4.9.03049 Affected: 4.9.04043 Affected: 4.9.04053 Affected: 4.9.05042 Affected: 4.9.06037 Affected: 4.10.00093 Affected: 4.10.01075 Affected: 4.10.02086 Affected: 4.10.03104 Affected: 4.10.04065 Affected: 4.10.04071 Affected: 4.10.05085 Affected: 4.10.05095 Affected: 4.10.05111 Affected: 4.10.06079 Affected: 4.10.06090 Affected: 4.10.07061 Affected: 4.10.07062 Affected: 4.10.07073 Affected: 5.0.00238 Affected: 5.0.00529 Affected: 5.0.00556 Affected: 5.0.01242 Affected: 5.0.02075 Affected: 5.0.03072 Affected: 5.0.03076 Affected: 5.0.04032 Affected: 5.0.05040 Affected: 5.1.0.136 Affected: 5.1.1.42 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cisco:secure_client:4.10.00093:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.01075:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.02086:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.03104:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.04065:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.04071:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.05085:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.05095:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.05111:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.06079:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.06090:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.07061:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.07062:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.10.07073:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.00086:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.01095:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.02028:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.03047:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.03049:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.04043:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.04053:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.05042:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:4.9.06037:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.00238:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.00529:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.00556:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.01242:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.02075:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.03072:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.03076:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.0.04032:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.1.0.136:*:*:*:*:*:*:*",
"cpe:2.3:a:cisco:secure_client:5.1.1.42:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "secure_client",
"vendor": "cisco",
"versions": [
{
"status": "affected",
"version": "4.10.00093"
},
{
"status": "affected",
"version": "4.10.01075"
},
{
"status": "affected",
"version": "4.10.02086"
},
{
"status": "affected",
"version": "4.10.03104"
},
{
"status": "affected",
"version": "4.10.04065"
},
{
"status": "affected",
"version": "4.10.04071"
},
{
"status": "affected",
"version": "4.10.05085"
},
{
"status": "affected",
"version": "4.10.05095"
},
{
"status": "affected",
"version": "4.10.05111"
},
{
"status": "affected",
"version": "4.10.06079"
},
{
"status": "affected",
"version": "4.10.06090"
},
{
"status": "affected",
"version": "4.10.07061"
},
{
"status": "affected",
"version": "4.10.07062"
},
{
"status": "affected",
"version": "4.10.07073"
},
{
"status": "affected",
"version": "4.9.00086"
},
{
"status": "affected",
"version": "4.9.01095"
},
{
"status": "affected",
"version": "4.9.02028"
},
{
"status": "affected",
"version": "4.9.03047"
},
{
"status": "affected",
"version": "4.9.03049"
},
{
"status": "affected",
"version": "4.9.04043"
},
{
"status": "affected",
"version": "4.9.04053"
},
{
"status": "affected",
"version": "4.9.05042"
},
{
"status": "affected",
"version": "4.9.06037"
},
{
"status": "affected",
"version": "5.0.00238"
},
{
"status": "affected",
"version": "5.0.00529"
},
{
"status": "affected",
"version": "5.0.00556"
},
{
"status": "affected",
"version": "5.0.01242"
},
{
"status": "affected",
"version": "5.0.02075"
},
{
"status": "affected",
"version": "5.0.03072"
},
{
"status": "affected",
"version": "5.0.03076"
},
{
"status": "affected",
"version": "5.0.04032"
},
{
"status": "affected",
"version": "5.1.0.136"
},
{
"status": "affected",
"version": "5.1.1.42"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-20337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-09T05:00:57.702576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T17:00:36.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:59:42.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "cisco-sa-secure-client-crlf-W43V4G7",
"tags": [
"x_transferred"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cisco Secure Client",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "4.9.00086"
},
{
"status": "affected",
"version": "4.9.01095"
},
{
"status": "affected",
"version": "4.9.02028"
},
{
"status": "affected",
"version": "4.9.03047"
},
{
"status": "affected",
"version": "4.9.03049"
},
{
"status": "affected",
"version": "4.9.04043"
},
{
"status": "affected",
"version": "4.9.04053"
},
{
"status": "affected",
"version": "4.9.05042"
},
{
"status": "affected",
"version": "4.9.06037"
},
{
"status": "affected",
"version": "4.10.00093"
},
{
"status": "affected",
"version": "4.10.01075"
},
{
"status": "affected",
"version": "4.10.02086"
},
{
"status": "affected",
"version": "4.10.03104"
},
{
"status": "affected",
"version": "4.10.04065"
},
{
"status": "affected",
"version": "4.10.04071"
},
{
"status": "affected",
"version": "4.10.05085"
},
{
"status": "affected",
"version": "4.10.05095"
},
{
"status": "affected",
"version": "4.10.05111"
},
{
"status": "affected",
"version": "4.10.06079"
},
{
"status": "affected",
"version": "4.10.06090"
},
{
"status": "affected",
"version": "4.10.07061"
},
{
"status": "affected",
"version": "4.10.07062"
},
{
"status": "affected",
"version": "4.10.07073"
},
{
"status": "affected",
"version": "5.0.00238"
},
{
"status": "affected",
"version": "5.0.00529"
},
{
"status": "affected",
"version": "5.0.00556"
},
{
"status": "affected",
"version": "5.0.01242"
},
{
"status": "affected",
"version": "5.0.02075"
},
{
"status": "affected",
"version": "5.0.03072"
},
{
"status": "affected",
"version": "5.0.03076"
},
{
"status": "affected",
"version": "5.0.04032"
},
{
"status": "affected",
"version": "5.0.05040"
},
{
"status": "affected",
"version": "5.1.0.136"
},
{
"status": "affected",
"version": "5.1.1.42"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. \r\n\r This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T16:30:02.285Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-secure-client-crlf-W43V4G7",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7"
}
],
"source": {
"advisory": "cisco-sa-secure-client-crlf-W43V4G7",
"defects": [
"CSCwi37512"
],
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2024-20337",
"datePublished": "2024-03-06T16:30:02.285Z",
"dateReserved": "2023-11-08T15:08:07.642Z",
"dateUpdated": "2024-08-01T21:59:42.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32986 (GCVE-0-2024-32986)
Vulnerability from cvelistv5 – Published: 2024-05-03 09:58 – Updated: 2024-08-02 02:27
VLAI
Title
Arbitrary code execution due to improper sanitization of web app properties in PWAsForFirefox
Summary
PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and `AppInfo.ini` (on PortableApps.com). This allowed malicious web apps to introduce keys like `Exec`, which could run arbitrary code when the affected web app was launched. This vulnerability affects all Linux and PortableApps.com users of all PWAsForFirefox versions up to (excluding) 2.12.0. Windows and macOS users are not affected. This vulnerability has been fixed in commit `9932d4b` which has been included in release in v2.12.0. The main fix is implemented in the native part, but the extension also contains additional fixes. All Linux and PortableApps.com users are advised to update to this version as soon as possible. It is also recommended for Windows and macOS users to update to this version, as it contains additional fixes related to properties sanitization. There are no known workarounds for this vulnerability.
Severity
9.7 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/filips123/PWAsForFirefox/secur… | x_refsource_CONFIRM |
| https://github.com/filips123/PWAsForFirefox/commi… | x_refsource_MISC |
| https://github.com/filips123/PWAsForFirefox/relea… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| filips123 | PWAsForFirefox |
Affected:
< 2.12.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:filips123:PWAsForFirefox:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "PWAsForFirefox",
"vendor": "filips123",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T16:11:44.257289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:22.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:53.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/filips123/PWAsForFirefox/security/advisories/GHSA-jmhv-m7v5-g5jq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/filips123/PWAsForFirefox/security/advisories/GHSA-jmhv-m7v5-g5jq"
},
{
"name": "https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5"
},
{
"name": "https://github.com/filips123/PWAsForFirefox/releases/tag/v2.12.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/filips123/PWAsForFirefox/releases/tag/v2.12.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PWAsForFirefox",
"vendor": "filips123",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and `AppInfo.ini` (on PortableApps.com). This allowed malicious web apps to introduce keys like `Exec`, which could run arbitrary code when the affected web app was launched. This vulnerability affects all Linux and PortableApps.com users of all PWAsForFirefox versions up to (excluding) 2.12.0. Windows and macOS users are not affected. This vulnerability has been fixed in commit `9932d4b` which has been included in release in v2.12.0. The main fix is implemented in the native part, but the extension also contains additional fixes. All Linux and PortableApps.com users are advised to update to this version as soon as possible. It is also recommended for Windows and macOS users to update to this version, as it contains additional fixes related to properties sanitization. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T09:58:32.506Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filips123/PWAsForFirefox/security/advisories/GHSA-jmhv-m7v5-g5jq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filips123/PWAsForFirefox/security/advisories/GHSA-jmhv-m7v5-g5jq"
},
{
"name": "https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5"
},
{
"name": "https://github.com/filips123/PWAsForFirefox/releases/tag/v2.12.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filips123/PWAsForFirefox/releases/tag/v2.12.0"
}
],
"source": {
"advisory": "GHSA-jmhv-m7v5-g5jq",
"discovery": "UNKNOWN"
},
"title": "Arbitrary code execution due to improper sanitization of web app properties in PWAsForFirefox "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32986",
"datePublished": "2024-05-03T09:58:32.506Z",
"dateReserved": "2024-04-22T15:14:59.167Z",
"dateUpdated": "2024-08-02T02:27:53.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45302 (GCVE-0-2024-45302)
Vulnerability from cvelistv5 – Published: 2024-08-29 21:18 – Updated: 2024-08-30 14:55
VLAI
Title
CRLF Injection in RestSharp's `RestRequest.AddHeader` method
Summary
RestSharp is a Simple REST and HTTP API Client for .NET. The second argument to `RestRequest.AddHeader` (the header value) is vulnerable to CRLF injection. The same applies to `RestRequest.AddOrUpdateHeader` and `RestClient.AddDefaultHeader`. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method which does not check for CRLF characters in the header value. This means that any headers from a `RestSharp.RequestHeaders` object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but I would argue that at the very least there needs to be a warning about this behaviour in the RestSharp documentation. RestSharp has addressed this issue in version 112.0.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.1 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/restsharp/RestSharp/security/a… | x_refsource_CONFIRM |
| https://github.com/restsharp/RestSharp/commit/0fb… | x_refsource_MISC |
| https://github.com/restsharp/RestSharp/blob/777bf… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:restsharp:restsharp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "restsharp",
"vendor": "restsharp",
"versions": [
{
"lessThan": "112.0.0",
"status": "affected",
"version": "107",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45302",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:54:23.955865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:55:34.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RestSharp",
"vendor": "restsharp",
"versions": [
{
"status": "affected",
"version": "\u003e= 107, \u003c 112.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RestSharp is a Simple REST and HTTP API Client for .NET. The second argument to `RestRequest.AddHeader` (the header value) is vulnerable to CRLF injection. The same applies to `RestRequest.AddOrUpdateHeader` and `RestClient.AddDefaultHeader`. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method which does not check for CRLF characters in the header value. This means that any headers from a `RestSharp.RequestHeaders` object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but I would argue that at the very least there needs to be a warning about this behaviour in the RestSharp documentation. RestSharp has addressed this issue in version 112.0.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T21:18:43.261Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/restsharp/RestSharp/security/advisories/GHSA-4rr6-2v9v-wcpc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/restsharp/RestSharp/security/advisories/GHSA-4rr6-2v9v-wcpc"
},
{
"name": "https://github.com/restsharp/RestSharp/commit/0fba5e727d241b1867bd71efc912594075c2934b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/restsharp/RestSharp/commit/0fba5e727d241b1867bd71efc912594075c2934b"
},
{
"name": "https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32"
}
],
"source": {
"advisory": "GHSA-4rr6-2v9v-wcpc",
"discovery": "UNKNOWN"
},
"title": "CRLF Injection in RestSharp\u0027s `RestRequest.AddHeader` method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45302",
"datePublished": "2024-08-29T21:18:43.261Z",
"dateReserved": "2024-08-26T18:25:35.443Z",
"dateUpdated": "2024-08-30T14:55:34.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45597 (GCVE-0-2024-45597)
Vulnerability from cvelistv5 – Published: 2024-09-10 21:42 – Updated: 2024-09-11 13:28
VLAI
Title
Pluto's http.request allows CR and LF in header values
Summary
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.
Severity
5.3 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/PlutoLang/Pluto/security/advis… | x_refsource_CONFIRM |
| https://github.com/PlutoLang/Pluto/pull/945 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pluto:pluto:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pluto",
"vendor": "pluto",
"versions": [
{
"lessThanOrEqual": "0.9.4",
"status": "affected",
"version": "0.9.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T13:19:58.530702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T13:28:10.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pluto",
"vendor": "PlutoLang",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c= 0.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T21:42:47.530Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7"
},
{
"name": "https://github.com/PlutoLang/Pluto/pull/945",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PlutoLang/Pluto/pull/945"
}
],
"source": {
"advisory": "GHSA-w8xp-pmx2-37w7",
"discovery": "UNKNOWN"
},
"title": "Pluto\u0027s http.request allows CR and LF in header values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45597",
"datePublished": "2024-09-10T21:42:47.530Z",
"dateReserved": "2024-09-02T16:00:02.423Z",
"dateUpdated": "2024-09-11T13:28:10.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48867 (GCVE-0-2024-48867)
Vulnerability from cvelistv5 – Published: 2024-12-06 16:36 – Updated: 2024-12-06 19:38
VLAI
Title
QTS, QuTS hero
Summary
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.
We have already fixed the vulnerability in the following versions:
QTS 5.1.9.2954 build 20241120 and later
QTS 5.2.2.2950 build 20241114 and later
QuTS hero h5.1.9.2954 build 20241120 and later
QuTS hero h5.2.2.2952 build 20241116 and later
Severity
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
5.1.x , < 5.1.9.2954 build 20241120
(custom)
Affected: 5.2.x , < 5.2.2.2950 build 20241114 (custom) |
|
| QNAP Systems Inc. | QuTS hero |
Affected:
h5.1.x , < h5.1.9.2954 build 20241120
(custom)
Affected: h5.2.x , < h5.2.2.2952 build 20241116 (custom) |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "5.1.9.2954 build 20241120",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "5.2.2.2950 build 20241114",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h5.1.9.2954 build 20241120",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h5.2.2.2952 build 20241116",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T19:27:08.830441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T19:38:19.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.9.2954 build 20241120",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "5.2.2.2950 build 20241114",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.9.2954 build 20241120",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h5.2.2.2952 build 20241116",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2024 - Chris Anastasio \u0026 Fabius Watson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.9.2954 build 20241120 and later\u003cbr\u003eQTS 5.2.2.2950 build 20241114 and later\u003cbr\u003eQuTS hero h5.1.9.2954 build 20241120 and later\u003cbr\u003eQuTS hero h5.2.2.2952 build 20241116 and later\u003cbr\u003e"
}
],
"value": "An improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.9.2954 build 20241120 and later\nQTS 5.2.2.2950 build 20241114 and later\nQuTS hero h5.1.9.2954 build 20241120 and later\nQuTS hero h5.2.2.2952 build 20241116 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-15",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-15"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:36:20.438Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-49"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.9.2954 build 20241120 and later\u003cbr\u003eQTS 5.2.2.2950 build 20241114 and later\u003cbr\u003eQuTS hero h5.1.9.2954 build 20241120 and later\u003cbr\u003eQuTS hero h5.2.2.2952 build 20241116 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.9.2954 build 20241120 and later\nQTS 5.2.2.2950 build 20241114 and later\nQuTS hero h5.1.9.2954 build 20241120 and later\nQuTS hero h5.2.2.2952 build 20241116 and later"
}
],
"source": {
"advisory": "QSA-24-49",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-48867",
"datePublished": "2024-12-06T16:36:20.438Z",
"dateReserved": "2024-10-09T00:22:57.834Z",
"dateUpdated": "2024-12-06T19:38:19.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48868 (GCVE-0-2024-48868)
Vulnerability from cvelistv5 – Published: 2024-12-06 16:36 – Updated: 2024-12-06 19:36
VLAI
Title
QTS, QuTS hero
Summary
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.
We have already fixed the vulnerability in the following versions:
QTS 5.1.9.2954 build 20241120 and later
QTS 5.2.2.2950 build 20241114 and later
QuTS hero h5.1.9.2954 build 20241120 and later
QuTS hero h5.2.2.2952 build 20241116 and later
Severity
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
5.1.x , < 5.1.9.2954 build 20241120
(custom)
Affected: 5.2.x , < 5.2.2.2950 build 20241114 (custom) |
|
| QNAP Systems Inc. | QuTS hero |
Affected:
h5.1.x , < h5.1.9.2954 build 20241120
(custom)
Affected: h5.2.x , < h5.2.2.2952 build 20241116 (custom) |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "5.1.9.2954 build 20241120",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "5.2.2.2950 build 20241114",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h5.1.9.2954 build 20241120",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h5.2.2.2952 build 20241116",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T19:26:55.261983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T19:36:12.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.9.2954 build 20241120",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "5.2.2.2950 build 20241114",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.9.2954 build 20241120",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h5.2.2.2952 build 20241116",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2024 - Chris Anastasio \u0026 Fabius Watson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.9.2954 build 20241120 and later\u003cbr\u003eQTS 5.2.2.2950 build 20241114 and later\u003cbr\u003eQuTS hero h5.1.9.2954 build 20241120 and later\u003cbr\u003eQuTS hero h5.2.2.2952 build 20241116 and later\u003cbr\u003e"
}
],
"value": "An improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.9.2954 build 20241120 and later\nQTS 5.2.2.2950 build 20241114 and later\nQuTS hero h5.1.9.2954 build 20241120 and later\nQuTS hero h5.2.2.2952 build 20241116 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-15",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-15"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:36:27.206Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-49"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.9.2954 build 20241120 and later\u003cbr\u003eQTS 5.2.2.2950 build 20241114 and later\u003cbr\u003eQuTS hero h5.1.9.2954 build 20241120 and later\u003cbr\u003eQuTS hero h5.2.2.2952 build 20241116 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.9.2954 build 20241120 and later\nQTS 5.2.2.2950 build 20241114 and later\nQuTS hero h5.1.9.2954 build 20241120 and later\nQuTS hero h5.2.2.2952 build 20241116 and later"
}
],
"source": {
"advisory": "QSA-24-49",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-48868",
"datePublished": "2024-12-06T16:36:27.206Z",
"dateReserved": "2024-10-09T00:22:57.834Z",
"dateUpdated": "2024-12-06T19:36:12.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50405 (GCVE-0-2024-50405)
Vulnerability from cvelistv5 – Published: 2025-03-07 16:13 – Updated: 2025-03-07 17:14
VLAI
Title
QTS, QuTS hero
Summary
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify application data.
We have already fixed the vulnerability in the following versions:
QTS 5.2.3.3006 build 20250108 and later
QuTS hero h5.2.3.3006 build 20250108 and later
Severity
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
5.2.x , < 5.2.3.3006 build 20250108
(custom)
|
|
| QNAP Systems Inc. | QuTS hero |
Affected:
h5.2.x , < h5.2.3.3006 build 20250108
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T17:12:16.397788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T17:14:37.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.3.3006 build 20250108",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.3.3006 build 20250108",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Searat and izut"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify application data.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.3.3006 build 20250108 and later\u003cbr\u003eQuTS hero h5.2.3.3006 build 20250108 and later\u003cbr\u003e"
}
],
"value": "An improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify application data.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.3.3006 build 20250108 and later\nQuTS hero h5.2.3.3006 build 20250108 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-94",
"description": "CWE-94",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T16:13:17.099Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-54"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.3.3006 build 20250108 and later\u003cbr\u003eQuTS hero h5.2.3.3006 build 20250108 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.3.3006 build 20250108 and later\nQuTS hero h5.2.3.3006 build 20250108 and later"
}
],
"source": {
"advisory": "QSA-24-54",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-50405",
"datePublished": "2025-03-07T16:13:17.099Z",
"dateReserved": "2024-10-24T03:45:32.283Z",
"dateUpdated": "2025-03-07T17:14:37.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51501 (GCVE-0-2024-51501)
Vulnerability from cvelistv5 – Published: 2024-11-04 22:56 – Updated: 2024-11-08 15:18
VLAI
Title
CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
Summary
Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method. This method does not check for CRLF characters in the header value. This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using Refit and not in Refit itself. This issue has been addressed in release versions 7.2.22 and 8.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/reactiveui/refit/security/advi… | x_refsource_CONFIRM |
| https://github.com/reactiveui/refit/blob/258a771f… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| reactiveui | refit |
Affected:
< 7.2.22
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:reactiveui:refit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "refit",
"vendor": "reactiveui",
"versions": [
{
"lessThan": "8.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51501",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T14:43:10.039516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T14:44:31.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "refit",
"vendor": "reactiveui",
"versions": [
{
"status": "affected",
"version": "\u003c 7.2.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method. This method does not check for CRLF characters in the header value. This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using Refit and not in Refit itself. This issue has been addressed in release versions 7.2.22 and 8.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T15:18:51.985Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7"
},
{
"name": "https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328"
}
],
"source": {
"advisory": "GHSA-3hxg-fxwm-8gf7",
"discovery": "UNKNOWN"
},
"title": "CRLF injection in Refit\u0027s [Header], [HeaderCollection] and [Authorize] attributes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51501",
"datePublished": "2024-11-04T22:56:50.231Z",
"dateReserved": "2024-10-28T14:20:59.339Z",
"dateUpdated": "2024-11-08T15:18:51.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Avoid using CRLF as a special sequence.
Mitigation
Phase: Implementation
Description:
- Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.