CVE-2023-23936 - OpenCVE

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Nodejs	Node.js Undici

Configuration 1 [-]

OR	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:undici::::::node.js::*

References

Link	Resource
https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034	Patch
https://github.com/nodejs/undici/releases/tag/v5.19.1	Release Notes
https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff	Vendor Advisory
https://hackerone.com/reports/1820955	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-02-16T17:30:23.968Z

Updated: 2023-02-16T17:30:23.968Z

Reserved: 2023-01-19T21:12:31.361Z

Link: CVE-2023-23936

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-02-16T18:15:10.877

Modified: 2023-02-24T19:14:28.203

Link: CVE-2023-23936

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-23936", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-19T21:12:31.361Z", "datePublished": "2023-02-16T17:30:23.968Z", "dateUpdated": "2023-02-16T17:30:23.968Z"}, "containers": {"cna": {"title": "CRLF Injection in Nodejs \u2018undici\u2019 via host", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"}, {"name": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"}, {"name": "https://hackerone.com/reports/1820955", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1820955"}, {"name": "https://github.com/nodejs/undici/releases/tag/v5.19.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"}], "affected": [{"vendor": "nodejs", "product": "undici", "versions": [{"version": ">=2.0.0, < 5.19.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-16T17:30:23.968Z"}, "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici."}], "source": {"advisory": "GHSA-5r9g-qh6m-jxff", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "6E9FAEC6-2D3A-4CBE-859F-11BCECC4F724", "versionEndExcluding": "16.19.1", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "80500AD0-17C2-4698-AE03-1C6782FD38B0", "versionEndExcluding": "18.14.1", "versionStartIncluding": "18.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "8F4FCD16-4B9F-44B9-80DD-D024759CAB10", "versionEndExcluding": "19.6.1", "versionStartIncluding": "19.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0B81E26E-5BF8-495E-9544-E9688B6AE5BA", "versionEndExcluding": "5.19.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici."}], "id": "CVE-2023-23936", "lastModified": "2023-02-24T19:14:28.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-02-16T18:15:10.877", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nodejs/undici/releases/tag/v5.19.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/1820955"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Secondary"}]}