Описание
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
A flaw was found in BusyBox wget. This vulnerability allows header injection via raw CR/LF and other C0 control bytes in the HTTP request-target. An attacker can exploit this by crafting a URL containing these control characters to inject arbitrary HTTP headers into the outgoing request, potentially leading to HTTP response splitting, cache poisoning, or security policy bypass.
Отчет
This issue arises because BusyBox wget fails to sanitize control characters in the request-target before constructing the HTTP/1.1 request line. When wget processes a URL containing raw CR (0x0D), LF (0x0A), or other C0 control bytes, these characters are passed directly into the HTTP request without percent-encoding. This breaks the expected request-line format (METHOD SP request-target SP HTTP/1.1) and allows an attacker to terminate the request line prematurely and inject arbitrary headers on subsequent lines.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | busybox | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 ...
EPSS
5.4 Medium
CVSS3