PT-2022-22874 · Proxmox+2 · Proxmox Mail Gateway+4
Cursered
·
Published
2022-07-08
·
Updated
2025-04-22
·
CVE-2022-35507
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
Proxmox Virtual Environment versions prior to pve-http-server 4.1-3
Proxmox Mail Gateway versions prior to pve-http-server 4.1-3
Description
A response-header CRLF injection vulnerability in the web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d.
Recommendations
For Proxmox Virtual Environment versions prior to pve-http-server 4.1-3, update to pve-http-server 4.1-3 to resolve the issue.
For Proxmox Mail Gateway versions prior to pve-http-server 4.1-3, update to pve-http-server 4.1-3 to resolve the issue.
As a temporary workaround, consider restricting access to the web interface until a patch is available.
Exploit
Fix
DoS
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Chromium
Proxmox Mail Gateway
Proxmox Virtual Environment
Pve-Http-Server