Exploit
CVE-2023-23936

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

Published: Feb 16, 2023 / Updated: 21mo ago

010
CVSS 5.4EPSS 0.06%Medium
CVE info copied to clipboard

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2023-23936. See article

Feb 16, 2023 at 6:17 PM / twitter.com
EPSS

EPSS Score was set to: 0.06% (Percentile: 21.3%)

Sep 19, 2023 at 9:43 PM
Vendor Advisory

RedHat released a security advisory (RHSA-2023:5533).

Oct 9, 2023 at 8:00 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (189669)

Jan 26, 2024 at 4:15 PM
Static CVE Timeline Graph

Affected Systems

Nodejs/undici
+null more

Exploits

https://hackerone.com/reports/1820955
+null more

Patches

Oracle
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-15: Command Delimiters
+null more

Vendor Advisory

Oracle Linux Bulletin - April 2023
Oracle Id: linuxbulletinapr2023 Release Date: 2023-04-18 Update Date: 2023-06-22 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible. Revision 3: Published on 2023-06-22 CVE-2023-25136 CVSS Base Score :9.8 CVSS Vector :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Product :

References

Node v18.14.1 (LTS)
Thursday February 16 2023 Security Releases

News

Oracle Linux 9 : nodejs (ELSA-2023-3586)
Nessus Plugin ID 177339 with Medium Severity Synopsis The remote Oracle Linux host is missing one or more security updates. Description The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-3586 advisory. - Update bundled c-ares to 1.19.1 Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 - Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920 - Resolves: CVE-2022-25881 CVE-2022-4904 - Resolves: CVE-2021-44906 - Rebase to version 16.17.1 Resolves: CVE-2022-35255 CVE-2022-35256 - Rebase to version 16.16.0 Resolves: RHBZ#2106290 Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 Resolves:
Multiple vulnerabilities in IBM Watson CP4D Data Stores
A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack. The vulnerability allows a remote user to perform a denial of service (DoS) attack.
Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to multiple vulnerabilities
Summary Multiple potential vulnerabilities has been identified that may affect IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details ** CVEID: CVE-2022-35255 DESCRIPTION: **Node.js could provide weaker than expected security, caused by the failure to check the return value after calls are made to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. A remote attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 7.3 CVSS Temporal Score: See:
Automate version 4.13.0 Released!
We are delighted to announce the availability of version 4.13.0 of Chef Automate. Updated Minio to fix following CVEs ( #4625 ):
Chef Infra Server 15.10.12 Released!
For more information, see the Chef Infra Server License Usage documentation . Updated OpenJRE to 11.0.22+7 to resolve the following CVEs:
See 135 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI