Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted data into HTTP header field values without prior sanitisation. Common use-cases here might be to place usernames from a database into HTTP header fields. This vulnerability allows attackers to inject new HTTP header fields, or entirely new requests, into the data stream. This can cause requests to be understood very differently by the remote server than was intended. In general, this is unlikely to result in data disclosure, but it can result in a number of logical errors and other misbehaviours.
Published 2023-01-18 19:15:11
Updated 2023-01-26 17:30:28
Source Swift Project
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-0040

0.06%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 24 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-0040

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
3.9
3.6
NIST

CWE ids for CVE-2023-0040

References for CVE-2023-0040

Products affected by CVE-2023-0040

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!