Vulnerability Details : CVE-2023-26142
All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.
Products affected by CVE-2023-26142
- cpe:2.3:a:crowcpp:crow:1.0\+5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-26142
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-26142
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
Snyk |
CWE ids for CVE-2023-26142
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-26142
-
https://gist.github.com/dellalibera/9247769cc90ed96c0d72ddbcba88c65c
HTTP Response Splitting in Crow@v1.0+5 ยท GitHubExploit;Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-UNMANAGED-CROW-5665556
HTTP Response Splitting in Crow | CVE-2023-26142 | SnykThird Party Advisory
Jump to