7.5
CVE-2023-29530
- EPSS 0.18%
- Veröffentlicht 24.04.2023 20:15:08
- Zuletzt bearbeitet 21.11.2024 07:57:14
- Quelle security-advisories@github.com
- Teams Watchlist Login
- Unerledigt Login
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Getlaminas ≫ Laminas-diactoros Version < 2.18.1
Getlaminas ≫ Laminas-diactoros Version2.19.0
Getlaminas ≫ Laminas-diactoros Version2.20.0
Getlaminas ≫ Laminas-diactoros Version2.21.0
Getlaminas ≫ Laminas-diactoros Version2.22.0
Getlaminas ≫ Laminas-diactoros Version2.23.0
Getlaminas ≫ Laminas-diactoros Version2.24.0
Getlaminas ≫ Laminas-diactoros Version2.25.0
Fedoraproject ≫ Fedora Version38
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.402 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.