CVE-2022-3215

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and "inject" those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws. This issue was resolved by adding validation to the HTTPHeaders type, ensuring that there's no whitespace incorrectly present in the HTTP headers provided by users. As the existing API surface is non-failable, all invalid characters are replaced by linear whitespace.

NIOHTTP1 y los proyectos que lo usan para generar respuestas HTTP pueden ser objeto de un ataque de inyección de respuesta HTTP. Esto ocurre cuando un servidor HTTP/1.1 acepta entradas generadas por el usuario desde una petición entrante y las refleja en un encabezado de respuesta HTTP/1.1 de alguna forma. Un usuario malicioso puede añadir nuevas líneas a su entrada (normalmente en forma codificada) e "inyectar" esas nuevas líneas en la respuesta HTTP devuelta. Esta capacidad permite a usuarios eludir los encabezados de seguridad y los encabezados de enmarcado HTTP/1.1 inyectando respuestas completamente falsas u otros encabezados nuevos. Las respuestas falsas inyectadas también pueden ser tratadas como la respuesta a peticiones posteriores, lo que puede conllevar a un ataque de tipo XSS, envenenamiento de la caché y una serie de otros fallos. Este problema ha sido resuelto añadiendo comprobación al tipo HTTPHeaders, asegurando que no se presentan espacios en blanco incorrectos en los encabezados HTTP proporcionadas por los usuarios. Como la superficie de la API existente no es fallida, todos los caracteres no válidos son sustituidos por espacios en blanco lineales

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-14 CVE Reserved
2022-09-28 CVE Published
2024-04-20 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CAPEC

References (1)

URL	Tag	Source
https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apple Search vendor "Apple"		Swiftnio Search vendor "Apple" for product "Swiftnio"				< 2.29.1 Search vendor "Apple" for product "Swiftnio" and version " < 2.29.1"		-		Affected
Apple Search vendor "Apple"		Swiftnio Search vendor "Apple" for product "Swiftnio"				>= 2.30.0 < 2.39.1 Search vendor "Apple" for product "Swiftnio" and version " >= 2.30.0 < 2.39.1"		-		Affected
Apple Search vendor "Apple"		Swiftnio Search vendor "Apple" for product "Swiftnio"				>= 2.40.0 < 2.42.0 Search vendor "Apple" for product "Swiftnio" and version " >= 2.40.0 < 2.42.0"		-		Affected