CVE-2022-3918
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http://example.com/ with the GET method. Suppose we set the URLRequest header "Foo" to the value "Bar Extra-Header: Added GET /other HTTP/1.1". When this request is sent, it will appear to the server as two requests: GET / HTTP/1.1 Foo: Bar Extra-Header: Added GET /other HTTP/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below.
Un programa que utiliza FoundationNetworking en swift-corelibs-foundation es potencialmente vulnerable a la inyección CRLF () en los encabezados URLRequest. En esta vulnerabilidad, un cliente puede insertar una o varias secuencias CRLF en un valor de encabezado URLRequest. Cuando esa solicitud se envía a través de URLSession a un servidor HTTP, el servidor puede interpretar el contenido después del CRLF como encabezados adicionales, o incluso una segunda solicitud. Por ejemplo, considere una URLRequest a http://example.com/ con el método GET. Supongamos que configuramos el encabezado de URLRequest "Foo" con el valor "Bar Extra-Header: Added GET /other HTTP/1.1". Cuando se envía esta solicitud, aparecerá en el servidor como dos solicitudes: GET / HTTP/1.1 Foo: Bar Extra-Header: Added GET /other HTTP/1.1 De esta manera, el cliente puede inyectar encabezados adicionales y crear un solicitud completamente nueva a una ruta separada, a pesar de realizar solo una llamada API en URLSession. Si un desarrollador tiene control total sobre la solicitud y sus encabezados, es posible que esta vulnerabilidad no represente una amenaza. Sin embargo, esta vulnerabilidad aumenta si la entrada del usuario no desinfectada se coloca en los valores del encabezado. Si es así, un usuario malintencionado podría inyectar nuevos encabezados o solicitudes a un servidor intermediario o backend. En este caso, los desarrolladores deben tener especial cuidado al desinfectar la entrada del usuario o actualizar su versión de swift-corelibs-foundation para incluir el parche siguiente.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-11-09 CVE Reserved
- 2023-01-20 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/apple/swift-corelibs-foundation/security/advisories/GHSA-4pp3-mpf2-rj63 | Mitigation |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Swift Foundation Search vendor "Apple" for product "Swift Foundation" | < 5.7.3 Search vendor "Apple" for product "Swift Foundation" and version " < 5.7.3" | - |
Affected
| ||||||