CVE-2022-3918

Name of the Vulnerable Software and Affected Versions swift-corelibs-foundation (affected versions not specified)

Description A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF injection in URLRequest headers. This allows a client to insert one or several CRLF sequences into a URLRequest header value, which can be interpreted by the server as extra headers or even a second request. For example, a URLRequest to "http://example.com/" with the GET method and a header "Foo" set to "Bar Extra-Header: Added GET /other HTTP/1.1" can appear to the server as two requests. This vulnerability escalates if un-sanitized user input is placed in header values, allowing a malicious user to inject new headers or requests to an intermediary or backend server.

Recommendations As a temporary workaround, consider sanitizing user input in header values to prevent CRLF injection. Upgrade swift-corelibs-foundation to a version that includes the patch for this issue. If un-sanitized user input is used in header values, restrict access to vulnerable modules or functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.