CVE-2024-45302

RestSharp is a Simple REST and HTTP API Client for .NET. The second argument to `RestRequest.AddHeader` (the header value) is vulnerable to CRLF injection. The same applies to `RestRequest.AddOrUpdateHeader` and `RestClient.AddDefaultHeader`. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method which does not check for CRLF characters in the header value. This means that any headers from a `RestSharp.RequestHeaders` object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but I would argue that at the very least there needs to be a warning about this behaviour in the RestSharp documentation. RestSharp has addressed this issue in version 112.0.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:restsharp:restsharp:*:*:*:*:*:*:*:*

History

01 Oct 2024, 20:05

Type Values Removed Values Added
CPE cpe:2.3:a:restsharp:restsharp:*:*:*:*:*:*:*:*
First Time Restsharp restsharp
Restsharp
CWE CWE-74
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 7.8
Summary
  • (es) RestSharp es un cliente de API HTTP y REST simple para .NET. El segundo argumento de `RestRequest.AddHeader` (el valor del encabezado) es vulnerable a la inyección CRLF. Lo mismo se aplica a `RestRequest.AddOrUpdateHeader` y `RestClient.AddDefaultHeader`. La forma en que se agregan los encabezados HTTP a una solicitud es a través del método `HttpHeaders.TryAddWithoutValidation` que no verifica los caracteres CRLF en el valor del encabezado. Esto significa que cualquier encabezado de un objeto `RestSharp.RequestHeaders` se agrega a la solicitud de tal manera que es vulnerable a la inyección CRLF. En general, la inyección CRLF en un encabezado HTTP (cuando se usa HTTP/1.1) significa que uno puede inyectar encabezados HTTP adicionales o contrabandear solicitudes HTTP completas. Si una aplicación que usa la librería RestSharp pasa un valor controlable por el usuario a un encabezado, entonces esa aplicación se vuelve vulnerable a la inyección CRLF. Esto no es necesariamente un problema de seguridad para una aplicación de línea de comandos como la anterior, pero si dicho código estuviera presente en una aplicación web, se volvería vulnerable a la división de solicitudes (como se muestra en la PoC) y, por lo tanto, a la falsificación de solicitudes del lado del servidor. Estrictamente hablando, esta es una vulnerabilidad potencial en aplicaciones que usan RestSharp, no en RestSharp en sí, pero yo diría que, como mínimo, debería haber una advertencia sobre este comportamiento en la documentación de RestSharp. RestSharp ha abordado este problema en la versión 112.0.0. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.
References () https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32 - () https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32 - Issue Tracking
References () https://github.com/restsharp/RestSharp/commit/0fba5e727d241b1867bd71efc912594075c2934b - () https://github.com/restsharp/RestSharp/commit/0fba5e727d241b1867bd71efc912594075c2934b - Patch
References () https://github.com/restsharp/RestSharp/security/advisories/GHSA-4rr6-2v9v-wcpc - () https://github.com/restsharp/RestSharp/security/advisories/GHSA-4rr6-2v9v-wcpc - Exploit, Third Party Advisory

29 Aug 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-29 22:15

Updated : 2024-10-01 20:05


NVD link : CVE-2024-45302

Mitre link : CVE-2024-45302

CVE.ORG link : CVE-2024-45302


JSON object : View

Products Affected

restsharp

  • restsharp
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')