CVE-2022-35507

A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/	Exploit Patch Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:proxmox:proxmox_mail_gateway:-:::::::*
	cpe:2.3:a:proxmox:pve_http_server::::::::
	cpe:2.3:a:proxmox:virtual_environment:-:::::::*

History

07 Nov 2023, 03:49

Type	Values Removed	Values Added
References	{'url': 'https://git.proxmox.com/?p=pve-http-server.git;a=commitdiff;h=936007ae0241811093155000486da171379c23c2', 'name': 'https://git.proxmox.com/?p=pve-http-server.git;a=commitdiff;h=936007ae0241811093155000486da171379c23c2', 'tags': ['Patch', 'Third Party Advisory'], 'refsource': 'MISC'}	() https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2 -

Information

Published : 2022-12-04 19:15

Updated : 2024-02-28 19:51

NVD link : CVE-2022-35507

Mitre link : CVE-2022-35507

CVE.ORG link : CVE-2022-35507

JSON object : View

Products Affected

proxmox

virtual_environment
proxmox_mail_gateway
pve_http_server

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2022-35507", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2022-12-04T19:15:09.850", "references": [{"url": "https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2", "source": "cve@mitre.org"}, {"url": "https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/", "tags": ["Exploit", "Patch", "Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n CRLF de encabezado de respuesta en la interfaz web Proxmox Virtual Environment (PVE) y Proxmox Mail Gateway (PMG) permite a un atacante remoto configurar cookies para el navegador de una v\u00edctima que son m\u00e1s largas de lo que espera el servidor, lo que provoca un DoS del lado del cliente. Esto afecta a los navegadores basados en Chromium porque permiten la inyecci\u00f3n de encabezados de respuesta con %0d. Esto se solucion\u00f3 en pve-http-server 4.1-3."}], "lastModified": "2023-11-07T03:49:18.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:proxmox:proxmox_mail_gateway:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9F113EE-EBBD-4045-A484-A140DFF23481"}, {"criteria": "cpe:2.3:a:proxmox:pve_http_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8D79E9B-8BD2-474C-BA09-16CCE2852818", "versionEndExcluding": "4.1-3"}, {"criteria": "cpe:2.3:a:proxmox:virtual_environment:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27813454-BC59-4D19-B608-A95E754F60EA"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}