CVE-2023-26142 MEDIUM

CVE-2023-26142

Vendor N/A
Product Crow
Weakness CWE-113 · HTTP response splitting
Published September 12, 2023
Last update September 26, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P

What the vulnerability does

01Description

All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.

Key dates

02Disclosure timeline

September 12, 2023 CVE published
September 26, 2024 Record updated