GHSA-v3r5-pjpm-mwgq

Suggest an improvement
Source
https://github.com/advisories/GHSA-v3r5-pjpm-mwgq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-v3r5-pjpm-mwgq/GHSA-v3r5-pjpm-mwgq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v3r5-pjpm-mwgq
Aliases
Published
2023-06-07T15:52:55Z
Modified
2023-11-08T04:11:04.956657Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Async HTTP Client has CRLF Injection vulnerability in HTTP request headers
Details

Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted data into HTTP header field values without prior sanitisation. Common use-cases here might be to place usernames from a database into HTTP header fields.

This vulnerability allows attackers to inject new HTTP header fields, or entirely new requests, into the data stream. This can cause requests to be understood very differently by the remote server than was intended. In general, this is unlikely to result in data disclosure, but it can result in a number of logical errors and other misbehaviours.

Database specific
{
    "nvd_published_at": "2023-01-18T19:15:00Z",
    "cwe_ids": [
        "CWE-74",
        "CWE-93"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-07T15:52:55Z"
}
References

Affected packages

SwiftURL / github.com/swift-server/async-http-client

Package

Name
github.com/swift-server/async-http-client
Purl
pkg:swift/github.com/swift-server/async-http-client

Affected ranges

Type
SEMVER
Events
Introduced
1.13.0
Fixed
1.13.2

SwiftURL / github.com/swift-server/async-http-client

Package

Name
github.com/swift-server/async-http-client
Purl
pkg:swift/github.com/swift-server/async-http-client

Affected ranges

Type
SEMVER
Events
Introduced
1.10.0
Fixed
1.12.1

SwiftURL / github.com/swift-server/async-http-client

Package

Name
github.com/swift-server/async-http-client
Purl
pkg:swift/github.com/swift-server/async-http-client

Affected ranges

Type
SEMVER
Events
Introduced
1.5.0
Fixed
1.9.1

SwiftURL / github.com/swift-server/async-http-client

Package

Name
github.com/swift-server/async-http-client
Purl
pkg:swift/github.com/swift-server/async-http-client

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.1