CVE-2023-26138 MEDIUM

CVE-2023-26138

Vendor N/A
Product drogonframework/drogon
Weakness CWE-93 · CRLF injection
Published July 6, 2023
Last update November 19, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P

What the vulnerability does

01Description

All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

Key dates

02Disclosure timeline

July 6, 2023 CVE published
November 19, 2024 Record updated