PT-2023-20515 · Drogon · Drogon

Alessio Della Libera

Published

2023-07-06

Updated

2023-07-13

CVE-2023-26137

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions drogonframework/drogon (affected versions not specified)

Description The issue arises when untrusted user input is used to build header values in the addHeader and addCookie functions, allowing an attacker to inject malicious content by adding r (carriage return line feeds) characters to end the HTTP response headers. This enables HTTP Response Splitting, where an attacker can manipulate the HTTP response to inject malicious content.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-113CWE-444

Related Identifiers

CVE-2023-26137

Affected Products

Drogon

PT-2023-20515 · Drogon · Drogon

CVE-2023-26137

Weakness Enumeration

Related Identifiers

Affected Products

References · 6