CVE-2022-31150 - OpenCVE

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Nodejs	Undici

Configuration 1 [-]

cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/nodejs/undici/releases/tag/v5.8.0	Release Notes Third Party Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc	Exploit Third Party Advisory
https://hackerone.com/reports/409943	Exploit Third Party Advisory
https://security.netapp.com/advisory/ntap-20220915-0002/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-07-19T20:40:10

Updated: 2022-09-15T17:06:42

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31150

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-19T21:15:15.160

Modified: 2022-10-28T18:31:31.273

Link: CVE-2022-31150

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "undici", "vendor": "nodejs", "versions": [{"status": "affected", "version": "< v5.7.1, >= v5.8.0"}]}], "descriptions": [{"lang": "en", "value": "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-15T17:06:42", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/409943"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220915-0002/"}], "source": {"advisory": "GHSA-3cvr-822r-rqcc", "discovery": "UNKNOWN"}, "title": "CRLF injection in request headers", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31150", "STATE": "PUBLIC", "TITLE": "CRLF injection in request headers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "undici", "version": {"version_data": [{"version_value": "< v5.7.1, >= v5.8.0"}]}}]}, "vendor_name": "nodejs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc", "refsource": "CONFIRM", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"}, {"name": "https://hackerone.com/reports/409943", "refsource": "MISC", "url": "https://hackerone.com/reports/409943"}, {"name": "https://github.com/nodejs/undici/releases/tag/v5.8.0", "refsource": "MISC", "url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"}, {"name": "https://security.netapp.com/advisory/ntap-20220915-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220915-0002/"}]}, "source": {"advisory": "GHSA-3cvr-822r-rqcc", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31150", "datePublished": "2022-07-19T20:40:10", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2022-09-15T17:06:42", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9673DD56-07E3-4AA7-A2E1-BAF0D820DFA0", "versionEndExcluding": "5.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\\r\\n` is a workaround for this issue."}, {"lang": "es", "value": "undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Es posible inyectar secuencias de tipo CRLF en los encabezados de las peticiones en undici en versiones anteriores a 5.7.1. En versi\u00f3n 5.8.0 ha sido publicada una correcci\u00f3n. Una correcci\u00f3n a este problema es sanear todas las cabeceras HTTP de fuentes no confiables para eliminar las secuencias de tipo CRLF."}], "id": "CVE-2022-31150", "lastModified": "2022-10-28T18:31:31.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-07-19T21:15:15.160", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/409943"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220915-0002/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Secondary"}]}