CVE-2023-29530
Laminas Diactoros vulnerable to HTTP Multiline Header Termination
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-04-07 CVE Reserved
- 2023-04-24 CVE Published
- 2024-05-26 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/advisories/GHSA-wxmh-65f7-jcvw | Not Applicable | |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPW54QK7ISDALPLP2CKODU4ZIVRYS336 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-9h36 | 2023-05-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | < 2.18.1 Search vendor "Getlaminas" for product "Laminas-diactoros" and version " < 2.18.1" | - |
Affected
| ||||||
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | 2.19.0 Search vendor "Getlaminas" for product "Laminas-diactoros" and version "2.19.0" | - |
Affected
| ||||||
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | 2.20.0 Search vendor "Getlaminas" for product "Laminas-diactoros" and version "2.20.0" | - |
Affected
| ||||||
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | 2.21.0 Search vendor "Getlaminas" for product "Laminas-diactoros" and version "2.21.0" | - |
Affected
| ||||||
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | 2.22.0 Search vendor "Getlaminas" for product "Laminas-diactoros" and version "2.22.0" | - |
Affected
| ||||||
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | 2.23.0 Search vendor "Getlaminas" for product "Laminas-diactoros" and version "2.23.0" | - |
Affected
| ||||||
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | 2.24.0 Search vendor "Getlaminas" for product "Laminas-diactoros" and version "2.24.0" | - |
Affected
| ||||||
| Getlaminas Search vendor "Getlaminas" | Laminas-diactoros Search vendor "Getlaminas" for product "Laminas-diactoros" | 2.25.0 Search vendor "Getlaminas" for product "Laminas-diactoros" and version "2.25.0" | - |
Affected
| ||||||
| Guzzlephp Search vendor "Guzzlephp" | Psr-7 Search vendor "Guzzlephp" for product "Psr-7" | < 1.9.1 Search vendor "Guzzlephp" for product "Psr-7" and version " < 1.9.1" | - |
Affected
| ||||||
| Guzzlephp Search vendor "Guzzlephp" | Psr-7 Search vendor "Guzzlephp" for product "Psr-7" | >= 2.0.0 < 2.4.5 Search vendor "Guzzlephp" for product "Psr-7" and version " >= 2.0.0 < 2.4.5" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||