cvelistv5 - cve-2023-29530

cve-2023-29530

Vulnerability from cvelistv5

Published

2023-04-24 19:34

Modified

2024-08-02 14:14

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.

References

URL	Tags
security-advisories@github.com	https://github.com/advisories/GHSA-wxmh-65f7-jcvw	Not Applicable
security-advisories@github.com	https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36	Vendor Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-wxmh-65f7-jcvw	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/	Mailing List, Third Party Advisory

Impacted products

Vendor

Product

Version

▼

laminas

laminas-diactoros

Version: < 2.18.1
Version: = 2.19.0
Version: = 2.20.0
Version: = 2.21.0
Version: = 2.22.0
Version: = 2.23.0
Version: = 2.24.0
Version: = 2.25.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:14:38.607Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"
          },
          {
            "name": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "laminas-diactoros",
          "vendor": "laminas",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.18.1"
            },
            {
              "status": "affected",
              "version": "= 2.19.0"
            },
            {
              "status": "affected",
              "version": "= 2.20.0"
            },
            {
              "status": "affected",
              "version": "= 2.21.0"
            },
            {
              "status": "affected",
              "version": "= 2.22.0"
            },
            {
              "status": "affected",
              "version": "= 2.23.0"
            },
            {
              "status": "affected",
              "version": "= 2.24.0"
            },
            {
              "status": "affected",
              "version": "= 2.25.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-24T19:34:40.294Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"
        },
        {
          "name": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/"
        }
      ],
      "source": {
        "advisory": "GHSA-xv3h-4844-9h36",
        "discovery": "UNKNOWN"
      },
      "title": "Laminas Diactoros vulnerable to HTTP Multiline Header Termination"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-29530",
    "datePublished": "2023-04-24T19:34:40.294Z",
    "dateReserved": "2023-04-07T18:56:54.630Z",
    "dateUpdated": "2024-08-02T14:14:38.607Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.18.1\", \"matchCriteriaId\": \"BFBEAEC3-D107-4137-91F2-8A84490184E3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:2.19.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DB1A0F96-4101-4B39-8978-56E99B4A9AC1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:2.20.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9DE2176-DE48-4C54-8BD6-544963C6DF2A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:2.21.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A4C5DAF3-32CD-4E9B-A65D-182C539657D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:2.22.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"97159541-821D-4653-BEA4-C56A28F8C294\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:2.23.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"59692B7C-63C6-4461-9B88-A0654CD7F97C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:2.24.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7084070F-E50B-4E81-8DE4-A1775FAB4487\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getlaminas:laminas-diactoros:2.25.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3CBCC392-7E5C-4787-B4AF-E158F3E71DBD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.9.1\", \"matchCriteriaId\": \"704750B5-E610-4CDF-AE19-64DA9B537919\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.4.5\", \"matchCriteriaId\": \"DB62DA3C-0E8C-4240-9238-67D584A839D3\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.\"}]",
      "id": "CVE-2023-29530",
      "lastModified": "2024-11-21T07:57:14.487",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2023-04-24T20:15:08.823",
      "references": "[{\"url\": \"https://github.com/advisories/GHSA-wxmh-65f7-jcvw\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Not Applicable\"]}, {\"url\": \"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/advisories/GHSA-wxmh-65f7-jcvw\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Not Applicable\"]}, {\"url\": \"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-29530\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-04-24T20:15:08.823\",\"lastModified\":\"2024-11-21T07:57:14.487\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.18.1\",\"matchCriteriaId\":\"BFBEAEC3-D107-4137-91F2-8A84490184E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:2.19.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB1A0F96-4101-4B39-8978-56E99B4A9AC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:2.20.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9DE2176-DE48-4C54-8BD6-544963C6DF2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:2.21.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4C5DAF3-32CD-4E9B-A65D-182C539657D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:2.22.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97159541-821D-4653-BEA4-C56A28F8C294\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:2.23.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59692B7C-63C6-4461-9B88-A0654CD7F97C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:2.24.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7084070F-E50B-4E81-8DE4-A1775FAB4487\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getlaminas:laminas-diactoros:2.25.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CBCC392-7E5C-4787-B4AF-E158F3E71DBD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.1\",\"matchCriteriaId\":\"704750B5-E610-4CDF-AE19-64DA9B537919\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.4.5\",\"matchCriteriaId\":\"DB62DA3C-0E8C-4240-9238-67D584A839D3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-wxmh-65f7-jcvw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-wxmh-65f7-jcvw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}"
  }
}

gsd-2023-29530

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-29530

Aliases

CVE-2023-29530

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-29530",
    "id": "GSD-2023-29530"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-29530"
      ],
      "details": "Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.",
      "id": "GSD-2023-29530",
      "modified": "2023-12-13T01:20:57.373876Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-29530",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "laminas-diactoros",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 2.18.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 2.19.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 2.20.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 2.21.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 2.22.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 2.23.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 2.24.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 2.25.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "laminas"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-20",
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36",
            "refsource": "MISC",
            "url": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"
          },
          {
            "name": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xv3h-4844-9h36",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.18.1||=2.19.0||=2.20.0||=2.21.0||=2.22.0||=2.23.0||\u003e=2.24.0,\u003c2.24.2||\u003e=2.25.0,\u003c2.25.2",
          "affected_versions": "All versions before 2.18.1, all versions starting from 2.19.0 up to 2.24.2, all versions starting from 2.25.0 before 2.25.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2023-05-05",
          "description": "Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.",
          "fixed_versions": [
            "2.18.1",
            "2.19.1",
            "2.20.1",
            "2.21.1",
            "2.22.1",
            "2.23.1",
            "2.24.2",
            "2.25.2"
          ],
          "identifier": "CVE-2023-29530",
          "identifiers": [
            "CVE-2023-29530",
            "GHSA-xv3h-4844-9h36"
          ],
          "not_impacted": "All versions starting from 2.18.1 before 2.19.0, all versions after 2.24.2 before 2.25.0, all versions starting from 2.25.2",
          "package_slug": "packagist/laminas/laminas-diactoros",
          "pubdate": "2023-04-24",
          "solution": "Upgrade to versions 2.18.1, 2.25.2 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-29530",
            "https://github.com/laminas/laminas-diactoros/commit/7e721a60a09c5119c98694c2d23fc031094e1f1c",
            "https://github.com/advisories/GHSA-wxmh-65f7-jcvw",
            "https://github.com/advisories/GHSA-xv3h-4844-9h36"
          ],
          "uuid": "8199cda9-c9e0-4068-a520-e67c827ca65d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.5",
                "versionStartIncluding": "2.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.9.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:2.19.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:2.20.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:2.21.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:2.22.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:2.23.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:2.24.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:2.25.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:getlaminas:laminas-diactoros:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.18.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-29530"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"
            },
            {
              "name": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw",
              "refsource": "MISC",
              "tags": [
                "Not Applicable"
              ],
              "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-05-05T13:58Z",
      "publishedDate": "2023-04-24T20:15Z"
    }
  }
}

ghsa-xv3h-4844-9h36

Vulnerability from github

Published

2023-04-24 22:42

Modified

2023-04-28 20:07

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

HTTP Multiline Header Termination

Details

Impact

Affected versions of Laminas Diactoros accepted a single line feed (LF / \n ) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Laminas Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests.

Patches

The problem has been patched in the following versions:

2.18.1
2.19.1
2.20.1
2.21.1
2.22.1
2.23.1
2.24.2
2.25.2

Workarounds

Validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().

References

CVE-2023-29197
GHSA-wxmh-65f7-jcvw

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.19.0"
            },
            {
              "fixed": "2.19.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.19.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.20.0"
            },
            {
              "fixed": "2.20.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.20.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.21.0"
            },
            {
              "fixed": "2.21.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.21.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.22.0"
            },
            {
              "fixed": "2.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.22.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.23.0"
            },
            {
              "fixed": "2.23.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.23.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.24.0"
            },
            {
              "fixed": "2.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laminas/laminas-diactoros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.25.0"
            },
            {
              "fixed": "2.25.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-24T22:42:39Z",
    "nvd_published_at": "2023-04-24T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAffected versions of Laminas Diactoros accepted a single line feed (LF / `\\n` ) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Laminas Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service\u2019s web application firewall bans the application due to the receipt of malformed requests.\n\n### Patches\n\nThe problem has been patched in the following versions:\n\n- 2.18.1\n- 2.19.1\n- 2.20.1\n- 2.21.1\n- 2.22.1\n- 2.23.1\n- 2.24.2\n- 2.25.2\n\n### Workarounds\n\nValidate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.\n\n### References\n\n- CVE-2023-29197\n- GHSA-wxmh-65f7-jcvw",
  "id": "GHSA-xv3h-4844-9h36",
  "modified": "2023-04-28T20:07:40Z",
  "published": "2023-04-24T22:42:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29530"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laminas/laminas-diactoros/commit/7e721a60a09c5119c98694c2d23fc031094e1f1c"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/laminas/laminas-diactoros"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTTP Multiline Header Termination"
}

fkie_cve-2023-29530

Vulnerability from fkie_nvd

Published

2023-04-24 20:15

Modified

2024-11-21 07:57

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/advisories/GHSA-wxmh-65f7-jcvw	Not Applicable
security-advisories@github.com	https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36	Vendor Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-wxmh-65f7-jcvw	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
getlaminas	laminas-diactoros	*
getlaminas	laminas-diactoros	2.19.0
getlaminas	laminas-diactoros	2.20.0
getlaminas	laminas-diactoros	2.21.0
getlaminas	laminas-diactoros	2.22.0
getlaminas	laminas-diactoros	2.23.0
getlaminas	laminas-diactoros	2.24.0
getlaminas	laminas-diactoros	2.25.0
guzzlephp	psr-7	*
guzzlephp	psr-7	*
fedoraproject	fedora	38

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFBEAEC3-D107-4137-91F2-8A84490184E3",
              "versionEndExcluding": "2.18.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:2.19.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB1A0F96-4101-4B39-8978-56E99B4A9AC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:2.20.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9DE2176-DE48-4C54-8BD6-544963C6DF2A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:2.21.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4C5DAF3-32CD-4E9B-A65D-182C539657D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:2.22.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "97159541-821D-4653-BEA4-C56A28F8C294",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:2.23.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "59692B7C-63C6-4461-9B88-A0654CD7F97C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:2.24.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7084070F-E50B-4E81-8DE4-A1775FAB4487",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getlaminas:laminas-diactoros:2.25.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CBCC392-7E5C-4787-B4AF-E158F3E71DBD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "704750B5-E610-4CDF-AE19-64DA9B537919",
              "versionEndExcluding": "1.9.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB62DA3C-0E8C-4240-9238-67D584A839D3",
              "versionEndExcluding": "2.4.5",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`."
    }
  ],
  "id": "CVE-2023-29530",
  "lastModified": "2024-11-21T07:57:14.487",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-04-24T20:15:08.823",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2023-29530

Vulnerability from cvelistv5

gsd-2023-29530

Vulnerability from gsd

ghsa-xv3h-4844-9h36

Vulnerability from github

Impact

Patches

Workarounds

References

fkie_cve-2023-29530

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature