CVE-2022-31150

MEDIUM Year: 2022
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-93
View all →

Vulnerability Description

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

Related Vulnerabilities

CVE-2016-9964

MEDIUM
CVSS:6.5(Medium)

redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.

CWE-932016

CVE-2018-6148

MEDIUM
CVSS:6.5(Medium)

Incorrect implementation in Content Security Policy in Google Chrome prior to 67.0.3396.79 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CWE-932018

CVE-2023-34472

MEDIUM
CVSS:6.5(Medium)

AMI SPx contains a vulnerability in the BMC where an Attacker may cause an improper neutralization of CRLF sequences in HTTP Headers. A successful exploit of this vulnerability may lead to a loss of i...

CWE-932023

CVE-2021-4097

MEDIUM
CVSS:6.3(Medium)

phpservermon is vulnerable to Improper Neutralization of CRLF Sequences

CWE-932021

CVE-2020-11078

MEDIUM
CVSS:6.8(Medium)

In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. Th...

CWE-932020

CVE-2014-2017

MEDIUM
CVSS:6.1(Medium)

CRLF injection vulnerability in OXID eShop Professional Edition before 4.7.11 and 4.8.x before 4.8.4, Enterprise Edition before 5.0.11 and 5.1.x before 5.1.4, and Community Edition before 4.7.11 and 4...

CWE-932014