GHSA-wjfc-pgfp-pv9c

Опубликовано: 21 апр. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Improper Input Validation in nyholm/psr7

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.6.1.

Workarounds

There are no known workarounds.

References

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Ссылки

https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c
https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
https://nvd.nist.gov/vuln/detail/CVE-2023-29197
https://github.com/FriendsOfPHP/security-advisories/blob/master/nyholm/psr7/2023-04-17.yaml

Пакеты

Наименование

nyholm/psr7

composer

Затронутые версииВерсия исправления

< 1.6.1

1.6.1

5.3 Medium

CVSS3

Дефекты

CWE-436

5.3 Medium

CVSS3

Дефекты

CWE-436