5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
46.6%
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and
prior to version 5.19.1, the undici library does not protect host
HTTP
header from CRLF injection vulnerabilities. This issue is patched in Undici
v5.19.1. As a workaround, sanitize the headers.host
string before passing
to undici.
github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034 (v5.19.1)
github.com/nodejs/undici/releases/tag/v5.19.1
github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
hackerone.com/reports/1820955
launchpad.net/bugs/cve/CVE-2023-23936
nvd.nist.gov/vuln/detail/CVE-2023-23936
security-tracker.debian.org/tracker/CVE-2023-23936
www.cve.org/CVERecord?id=CVE-2023-23936
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
46.6%