FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2023-26130

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

Published: May 30, 2023 / Updated: 18mo ago

010
CVSS 8.8EPSS 0.06%High
CVE info copied to clipboard

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. **Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-26130. See article

May 30, 2023 at 5:14 AM / cve.report
EPSS

EPSS Score was set to: 0.06% (Percentile: 22.7%)

Sep 16, 2023 at 4:42 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (194897)

May 2, 2024 at 5:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (285523)

May 2, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Cpp-httplib_project/cpp-httplib
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-15: Command Delimiters
+null more

Vendor Advisory

CVE-2023-26130
Red Hat CVE Database / 17mo
No Red Hat product is affected by this vulnerability. Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests.

News

Fedora 38: et 2024-bd9e67c117 Security Advisory Updates
LinuxSecurity Advisories / 6mo
Update to 6.2.8, fixing CVE-2022-48257 and CVE-2022-48258 Unbundle cpp-httlib, fixing CVE-2023-26130
Fedora 40: et 2024-b745c97f4b Security Advisory Updates
LinuxSecurity.com - Hybrid RSS / 6mo
For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label Summary : Remote shell that survives IP roaming and disconnect
TPM2, et, Python, and more updates for Fedora
Linux Compatible / 6mo
Summary : Python HTTP client/server for asyncio Summary : OpenAPI client-side and server-side support
Fedora 40 : et (2024-b745c97f4b)
Newest Plugins from Tenable / 6mo
The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-b745c97f4b advisory. Update the affected et package.
Fedora EPEL 8 update for et
Security feed from CyberSecurity Help / 6mo
The vulnerability allows a local user to disable application log. The vulnerability allows a local user to gain access to sensitive information.
See 22 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.8(18246)CWE-93(62)CWE-74(1406)CWE-77(2525)Cpp-httplib project(2)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial