Lucene search

SnykCVELIST:CVE-2023-26148

HistorySep 29, 2023 - 5:00 a.m.

CVE-2023-26148

2023-09-2905:00:03

snyk

www.cve.org

crlf injection

untrusted user input

request headers

additional headers

cve-2023-26148

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P

EPSS

0.001

Percentile

21.7%

JSON

All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

CNA Affected

[
  {
    "product": "ithewei/libhv",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

References

gist.github.com/dellalibera/65d136066fdd5ea4dddaadaa9b0ba90e

security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730769

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P

EPSS

0.001

Percentile

21.7%

JSON

Related for CVELIST:CVE-2023-26148