Lucene search

[email protected]CVE-2023-26138

HistoryJul 06, 2023 - 5:15 a.m.

CVE-2023-26138

2023-07-0605:15:09

CWE-93

CWE-74

[email protected]

web.nvd.nist.gov

cve

2023

26138

crlf injection

drogonframework

drogon

nvd

security vulnerability

header injection

untrusted input

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.7%

JSON

All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

Affected configurations

NVD

Node

drogondrogon

CPENameOperatorVersion
drogon:drogondrogoneq*

CPE	Name	Operator	Version
drogon:drogon	drogon	eq	*

CNA Affected

[
  {
    "product": "drogonframework/drogon",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

References

gist.github.com/dellalibera/d2abd809f32ec6c61be1f41d80edf61b

security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665555

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.7%

JSON

Related for CVE-2023-26138

prion1 cvelist1 nvd1