How severe is CVE-2022-3215?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2022-3215?

This is classified as CWE-113, which is a common weakness in software security.

CVE-2022-3215 - HIGH Severity | CVSS 7.5

Vulnerability Description

NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and "inject" those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws. This issue was resolved by adding validation to the HTTPHeaders type, ensuring that there's no whitespace incorrectly present in the HTTP headers provided by users. As the existing API surface is non-failable, all invalid characters are replaced by linear whitespace.

Related Vulnerabilities

CVE-2018-7830

HIGH

CVSS:7.5(High)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a...

CWE-1132018

CVE-2020-5247

HIGH

CVSS:7.5(High)

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end...

CWE-1132020

CVE-2023-42450

HIGH

CVSS:7.5(High)

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary d...

CWE-1132023

CVE-2015-1445

HIGH

CVSS:7.2(High)

HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.

CWE-1132015

CVE-2016-8024

HIGH

CVSS:8.1(High)

Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensiti...

CWE-1132016

CVE-2024-23644

HIGH

CVSS:8.1(High)

Trillium is a composable toolkit for building internet applications with async rust. In `trillium-http` prior to 0.3.12 and `trillium-client` prior to 0.5.4, insufficient validation of outbound header...

CWE-1132024