Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-23936
HistoryFeb 16, 2023 - 12:00 a.m.

CVE-2023-23936

2023-02-1600:00:00
ubuntu.com
ubuntu.com
17
undici
http/1.1
crlf injection

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

50.9%

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and
prior to version 5.19.1, the undici library does not protect host HTTP
header from CRLF injection vulnerabilities. This issue is patched in Undici
v5.19.1. As a workaround, sanitize the headers.host string before passing
to undici.

Bugs

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

50.9%