Bug 1211838 (CVE-2020-11709)

Summary: VUL-0: CVE-2020-11709: cpp-httplib: CRLF Injection
Product: [openSUSE] openSUSE Distribution Reporter: Stoyan Manolov <stoyan.manolov>
Component: SecurityAssignee: Forgotten User EUhkD-ZdS8 <forgotten_EUhkD-ZdS8>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: Leap 15.4   
Target Milestone: Leap 15.4   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/256991/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2023-05-31 03:44:55 UTC 
CVE-2020-11709

cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the
set_redirect and set_header functions, which creates possibilities for CRLF
injection and HTTP response splitting in some specific contexts.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11709
https://bugzilla.redhat.com/show_bug.cgi?id=2211075
https://www.cve.org/CVERecord?id=CVE-2020-11709
http://www.cvedetails.com/cve/CVE-2023-26130/
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11709.html
https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495
https://github.com/yhirose/cpp-httplib/issues/425
Comment 1 Stoyan Manolov 2023-05-31 03:46:32 UTC 
Tracking as Affected:

openSUSE:Factory / cpp-httplib
devel:libraries:c_c++ / cpp-httplib