ByteOS Network

NVD Vulnerability Details :

CVE-2023-26138

Modified

Source-report@snyk.io

Published At-06 Jul, 2023 | 05:15

Updated At-07 Nov, 2023 | 04:09

All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Secondary	3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Type: Primary

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 5.4

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CPE Matches

drogon>>drogon>>*

cpe:2.3:a:drogon:drogon:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-74	Primary	nvd@nist.gov
CWE-93	Secondary	report@snyk.io

CWE ID: CWE-74

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-93

Type: Secondary

Source: report@snyk.io

References

Hyperlink	Source	Resource
https://gist.github.com/dellalibera/d2abd809f32ec6c61be1f41d80edf61b	report@snyk.io	Exploit
https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665555	report@snyk.io	Third Party Advisory

Hyperlink: https://gist.github.com/dellalibera/d2abd809f32ec6c61be1f41d80edf61b

Source: report@snyk.io

Resource:

Exploit

Hyperlink: https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665555

Source: report@snyk.io

Resource:

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History