ExploitCVE-2022-31150
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
Published: Jul 19, 2022 / Updated: 28mo ago
010
CVSS 6.5EPSS 0.11%Medium
CVE info copied to clipboard
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Timeline
First Article
Feedly found the first article mentioning CVE-2022-31150. See article
Jul 18, 2022 at 8:52 AM / github.com
EPSS
EPSS Score was set to: 0.11% (Percentile: 42.3%)
Sep 18, 2023 at 3:24 PM
Affected Systems
Nodejs/undici
+null more
Exploits
https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc
+null more
Patches
bugzilla.redhat.com
+null more
Attack Patterns
CAPEC-15: Command Delimiters
+null more
Vendor Advisory
CVE-2022-31150
CVE Id: CVE-2022-31150 Release Date: 2022-07-19 Update Date: 2022-07-26 Impact Moderate CVSS Base Score: 5.3 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Description undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
News
Vigil@nce - Node.js undici: header injection via CRLF, analyzed on 08/09/2022
The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them. An attacker can add new headers on Node.js undici, via CRLF, in order to alter the service behavior.
Red Hat Security Advisory 2022-6696-01
Red Hat Security Advisory 2022-6696-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include crlf injection and denial of service vulnerabilities.
Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.4
A remote attacker can pass specially crafted multi-gigabyte XML file to the application, trigger integer overflow and execute arbitrary code on the target system. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
RHSA-2022:6696: Critical: Red Hat Advanced Cluster Management 2.4.6 security update and bug fixes
Critical: Red Hat Advanced Cluster Management 2.4.6 security update and bug fixes Red Hat Advanced Cluster Management for Kubernetes 2.4.6 images
🚨 NEW: CVE-2022-31150 🚨 undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in vers... (click for more) Severity: MEDIUM https://nvd.nist.gov/vuln/detail/CVE-2022-31150
🚨 NEW: CVE-2022-31150 🚨 undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in vers... (click for more) Severity: MEDIUM nvd.nist.gov/vuln/detail/CVE…
See 28 more articles and social media posts