Vulnerability Details : CVE-2023-29530
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2023-29530
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:*:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:2.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:2.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:2.21.0:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:2.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:2.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:2.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:getlaminas:laminas-diactoros:2.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*
- cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-29530
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-29530
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-29530
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-29530
-
https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36
HTTP Multiline Header Termination · Advisory · laminas/laminas-diactoros · GitHubVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336/
[SECURITY] Fedora 38 Update: php-laminas-diactoros2-2.25.2-1.fc38 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/advisories/GHSA-wxmh-65f7-jcvw
Improper header name validation in guzzlehttp/psr7 · CVE-2023-29197 · GitHub Advisory Database · GitHubNot Applicable
Jump to