CVE-2024-5193

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

Published: May 22, 2024 / Updated: 6mo ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability was found in Ritlabs TinyWeb Server 1.94 where the manipulation of input %0D%0A leads to crlf injection in the Request Handler component. This allows remote attackers to potentially launch attacks, and the exploit has been publicly disclosed.

Impact

Successful exploitation could allow attackers to inject malicious commands or carry out other attacks leveraging the crlf injection vulnerability in the Request Handler of Ritlabs TinyWeb Server 1.94. This could potentially lead to unauthorized access, data tampering, or other security impacts.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vendor was notified about this vulnerability but did not respond, so it is currently unpatched in the affected version 1.94 of Ritlabs TinyWeb Server.

Mitigation

As there is no patch available yet, mitigation steps would involve restricting network access to the vulnerable TinyWeb server, updating any input validation to prevent crlf injection, or upgrading to a newer secure version of TinyWeb Server once available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-5193. See article

May 22, 2024 at 10:41 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

May 22, 2024 at 10:42 AM
CVE Assignment

NVD published the first details for CVE-2024-5193

May 22, 2024 at 11:15 AM
CVSS

A CVSS base score of 5.3 has been assigned.

May 22, 2024 at 11:21 AM / nvd
Trending

This CVE started to trend in security discussions

May 22, 2024 at 12:12 PM
Trending

This CVE stopped trending in security discussions

May 23, 2024 at 6:26 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 15%)

May 23, 2024 at 10:16 AM
Static CVE Timeline Graph

Affected Systems

Ritlabs
+null more

Attack Patterns

CAPEC-15: Command Delimiters
+null more

News

NA - CVE-2024-5193 - A vulnerability was found in Ritlabs TinyWeb...
A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input...
CVE-2024-5193
Gravedad 3.1 (CVSS 3.1 Base Score) A vulnerability was found in Ritlabs TinyWeb Server 1.94.
CVE-2024-5193
A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been CVE-2024-5193 originally published on CyberSecurityBoard
CVE-2024-5193 - A vulnerability was found in Ritlabs TinyWeb Serve
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics. VDB-265830 is the identifier assigned to this vulnerability.
CVE-2024-5193
A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI