5.3
CVE-2024-45597
- EPSS 0.31%
- Veröffentlicht 10.09.2024 22:15:01
- Zuletzt bearbeitet 05.03.2025 14:53:25
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPluto's http.request allows CR and LF in header values
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pluto-lang ≫ Pluto Version >= 0.9.0 < 0.9.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.31% | 0.223 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
https://github.com/PlutoLang/Pluto/pull/945
https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7