Bug 1211837 (CVE-2023-26130)

Summary: VUL-0: CVE-2023-26130: cpp-httplib: CRLF Injection
Product: [openSUSE] openSUSE Distribution Reporter: Stoyan Manolov <stoyan.manolov>
Component: SecurityAssignee: Forgotten User EUhkD-ZdS8 <forgotten_EUhkD-ZdS8>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: security-team, svalx78
Version: Leap 15.4   
Target Milestone: Leap 15.4   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/367794/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2023-05-31 03:42:27 UTC 
CVE-2023-26130

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF
Injection when untrusted user input is used to set the content-type header in
the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical
errors and other misbehaviors.

**Note:** This issue is present due to an incomplete fix for
[CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26130
https://bugzilla.redhat.com/show_bug.cgi?id=2211075
https://www.cve.org/CVERecord?id=CVE-2023-26130
http://www.cvedetails.com/cve/CVE-2023-26130/
https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280
https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08
https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4
https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
Comment 1 Stoyan Manolov 2023-05-31 03:44:14 UTC 
Tracking as Affected:

openSUSE:Factory / cpp-httplib
devel:libraries:c_c++ / cpp-httplib
Comment 2 Alexey Svistunov 2023-05-31 09:31:57 UTC 
devel:libraries:c_c++/cpp-httplib updated to version 0.12.5. Request 1089978 to Factory in 'review' state. Thank you!
Comment 3 Alexey Svistunov 2023-06-01 10:42:08 UTC 
Updated in Factory