CVE-2024-23644
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)
Summary
Trillium, a toolkit for building internet applications with async rust, has a vulnerability in trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4. The issue stems from insufficient validation of outbound header values, which can lead to request splitting or response splitting attacks in scenarios where attackers have control over headers. Specifically, if untrusted and unvalidated input containing "\r\n" sequences is inserted into header names or values, it can be exploited. This vulnerability allows for the infallible construction of HeaderValue and HeaderName without proper checks for illegal bytes when sending requests from the client or responses from the server.
Impact
If exploited, this vulnerability could allow attackers to get the client and server out of sync, potentially leading to control over other parts of requests or responses. This could result in data exfiltration from other requests or Server-Side Request Forgery (SSRF). The vulnerability has a high impact on both confidentiality and integrity, potentially exposing sensitive information or allowing unauthorized modifications to data. The CVSS v3.1 base score is 6.8, indicating a moderate to high severity.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
Patches are available. For trillium-http, version 0.3.12 and later address the issue by omitting invalid header names and values from network transmission in server response headers. For trillium-client, version 0.5.4 and later return an Error::MalformedHeader if any header name or value is invalid in client request headers, prior to any network access. Users should update to these patched versions to mitigate the vulnerability.
Mitigation
In addition to applying the available patches, it is recommended that Trillium services and client applications implement proper sanitization or validation of untrusted input included in header values and header names. Specifically, carriage return, newline, and null characters should not be allowed in these fields. For systems that cannot be immediately updated, implementing rigorous input validation at the application level can help mitigate the risk.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-23644
Feedly found the first article mentioning CVE-2024-23644. See article
EPSS Score was set to: 0.05% (Percentile: 12.1%)
A CVSS base score of 8.1 has been assigned.