CVE-2024-51501

{"id": "CVE-2024-51501", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 10.0, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "HIGH", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-04T23:15:04.893", "references": [{"url": "https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328", "source": "security-advisories@github.com"}, {"url": "https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method. This method does not check for CRLF characters in the header value. This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using Refit and not in Refit itself. This issue has been addressed in release versions 7.2.22 and 8.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Refit es una librer\u00eda REST autom\u00e1tica y segura de tipos para .NET Core, Xamarin y .NET Los diversos atributos Refit relacionados con los encabezados (Header, HeaderCollection y Authorize) son vulnerables a la inyecci\u00f3n CRLF. La forma en que se agregan los encabezados HTTP a una solicitud es a trav\u00e9s del m\u00e9todo `HttpHeaders.TryAddWithoutValidation`. Este m\u00e9todo no verifica los caracteres CRLF en el valor del encabezado. Esto significa que cualquier encabezado agregado a una solicitud de refit es vulnerable a la inyecci\u00f3n CRLF. En general, la inyecci\u00f3n CRLF en un encabezado HTTP (cuando se usa HTTP/1.1) significa que uno puede inyectar encabezados HTTP adicionales o contrabandear solicitudes HTTP completas. Si una aplicaci\u00f3n que usa la librer\u00eda Refit pasa un valor controlable por el usuario a un encabezado, entonces esa aplicaci\u00f3n se vuelve vulnerable a la inyecci\u00f3n CRLF. Esto no es necesariamente un problema de seguridad para una aplicaci\u00f3n de l\u00ednea de comandos como la que se muestra arriba, pero si dicho c\u00f3digo estuviera presente en una aplicaci\u00f3n web, se volver\u00eda vulnerable a la divisi\u00f3n de solicitudes (como se muestra en la PoC) y, por lo tanto, a la Server Side Request Forgery. Estrictamente hablando, esta es una vulnerabilidad potencial en aplicaciones que usan Refit y no en Refit en s\u00ed. Este problema se ha solucionado en la versi\u00f3n 8.0.0 y se recomienda a todos los usuarios que actualicen. No existen workarounds conocidas para esta vulnerabilidad."}], "lastModified": "2024-11-08T16:15:50.200", "sourceIdentifier": "security-advisories@github.com"}