Lucene search

[email protected]NVD:CVE-2023-26148

HistorySep 29, 2023 - 5:15 a.m.

CVE-2023-26148

2023-09-2905:15:46

CWE-74

CWE-93

[email protected]

web.nvd.nist.gov

crlf injection

vulnerability

package ithewei/libhv

untrusted user input

request headers

attack.

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.7%

JSON

All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

Affected configurations

Nvd

Node

itheweilibhv

VendorProductVersionCPE
itheweilibhv*cpe:2.3:a:ithewei:libhv:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ithewei	libhv	*	cpe:2.3:a:ithewei:libhv::::::::

References

gist.github.com/dellalibera/65d136066fdd5ea4dddaadaa9b0ba90e

security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730769

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.7%

JSON

Related for NVD:CVE-2023-26148

cvelist1 prion1 cve1