Bug 1211837 (CVE-2023-26130) - VUL-0: CVE-2023-26130: cpp-httplib: CRLF Injection
Summary: VUL-0: CVE-2023-26130: cpp-httplib: CRLF Injection
Status: RESOLVED FIXED
Alias: CVE-2023-26130
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: Leap 15.4
Assignee: Forgotten User EUhkD-ZdS8
QA Contact: E-mail List
URL: https://smash.suse.de/issue/367794/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-31 03:42 UTC by Stoyan Manolov
Modified: 2023-06-01 10:42 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stoyan Manolov 2023-05-31 03:42:27 UTC 
CVE-2023-26130

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF
Injection when untrusted user input is used to set the content-type header in
the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical
errors and other misbehaviors.

**Note:** This issue is present due to an incomplete fix for
[CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26130
https://bugzilla.redhat.com/show_bug.cgi?id=2211075
https://www.cve.org/CVERecord?id=CVE-2023-26130
http://www.cvedetails.com/cve/CVE-2023-26130/
https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280
https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08
https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4
https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
Comment 1 Stoyan Manolov 2023-05-31 03:44:14 UTC 
Tracking as Affected:

openSUSE:Factory / cpp-httplib
devel:libraries:c_c++ / cpp-httplib
Comment 2 Alexey Svistunov 2023-05-31 09:31:57 UTC 
devel:libraries:c_c++/cpp-httplib updated to version 0.12.5. Request 1089978 to Factory in 'review' state. Thank you!
Comment 3 Alexey Svistunov 2023-06-01 10:42:08 UTC 
Updated in Factory