CVE-2023-26137 HIGH

CVE-2023-26137

Vendor N/A
Product drogonframework/drogon
Weakness CWE-113 · HTTP response splitting
Published July 6, 2023
Last update November 19, 2024

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:P

What the vulnerability does

01Description

All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.

Key dates

02Disclosure timeline

July 6, 2023 CVE published
November 19, 2024 Record updated