GHSA-4rgh-jx4f-qfcq

Suggest an improvement
Source
https://github.com/advisories/GHSA-4rgh-jx4f-qfcq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4rgh-jx4f-qfcq/GHSA-4rgh-jx4f-qfcq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4rgh-jx4f-qfcq
Aliases
Published
2022-05-24T17:37:16Z
Modified
2023-11-08T04:03:35.243834Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
http before 0.13.3 vulnerable to header injection
Details

An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating request methods.

References

Affected packages

Pub / http

Package

Name
http
Purl
pkg:pub/http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.13.3

Affected versions

0.*

0.2.7+0
0.2.8+2
0.2.9+7
0.2.10+1
0.3.1+1
0.3.2
0.3.4
0.3.5+1
0.3.7+6
0.4.0
0.4.1
0.4.2
0.4.3+1
0.4.4+4
0.4.5+1
0.4.7+1
0.5.0+1
0.5.1
0.5.4
0.5.5
0.5.6
0.5.7
0.5.9
0.5.11+1
0.5.12
0.5.13
0.5.14+1
0.5.14+3
0.5.15
0.5.16
0.5.17
0.5.20
0.6.1
0.6.2
0.6.3+1
0.6.5
0.6.6
0.6.8
0.6.9
0.6.9+2
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15+2
0.6.15+3
0.6.17
0.6.17+2
0.6.19
0.6.20+1
0.6.21+3
0.7.0
0.7.1
0.7.2
0.7.2+1
0.7.3+1
0.7.4
0.7.5
0.7.6
0.7.6+4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.10+3
0.8.10+4
0.9.0
0.9.1
0.9.2
0.9.2+1
0.9.2+3
0.10.0
0.11.0
0.11.0+1
0.11.1
0.11.1+1
0.11.1+3
0.11.2
0.11.3
0.11.3+1
0.11.3+2
0.11.3+3
0.11.3+4
0.11.3+5
0.11.3+6
0.11.3+7
0.11.3+8
0.11.3+9
0.11.3+11
0.11.3+12
0.11.3+13
0.11.3+14
0.11.3+15
0.11.3+16
0.11.3+17
0.12.0
0.12.0+1
0.12.0+2
0.12.0+3
0.12.0+4
0.12.1
0.12.2
0.13.0-nullsafety.0
0.13.0
0.13.1
0.13.2