PT-2023-22303 · Laminas · Laminas Diactoros

Grahamcampbell

Publicado

2023-04-19

Atualizado

2023-05-05

CVE-2023-29530

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Laminas Diactoros versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0

Description The issue is related to improper header parsing, where an attacker could sneak in a newline into both the header names and values, potentially leading to denial of service vectors or application errors. This can occur when users create HTTP requests or responses using laminas/laminas-diactoros and provide a newline at the start or end of a header key or value, causing an invalid message.

Recommendations For versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, update to the patched versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1 respectively. As a temporary workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20CWE-436

Identificadores relacionados

CVE-2023-29530

GHSA-WXMH-65F7-JCVW

GHSA-XV3H-4844-9H36

Produtos afetados

Laminas Diactoros

PT-2023-22303 · Laminas · Laminas Diactoros

CVE-2023-29530

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 22