1211838 – (CVE-2020-11709) VUL-0: CVE-2020-11709: cpp-httplib: CRLF Injection

Bug 1211838 (CVE-2020-11709) - VUL-0: CVE-2020-11709: cpp-httplib: CRLF Injection

Summary: VUL-0: CVE-2020-11709: cpp-httplib: CRLF Injection

Status:	NEW

Alias:	CVE-2020-11709

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major (vote)
Target Milestone:	Leap 15.4
Assignee:	Forgotten User EUhkD-ZdS8
QA Contact:	E-mail List

URL:	https://smash.suse.de/issue/256991/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-05-31 03:44 UTC by Stoyan Manolov
Modified:	2023-05-31 04:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stoyan Manolov 2023-05-31 03:44:55 UTC

CVE-2020-11709

cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the
set_redirect and set_header functions, which creates possibilities for CRLF
injection and HTTP response splitting in some specific contexts.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11709
https://bugzilla.redhat.com/show_bug.cgi?id=2211075
https://www.cve.org/CVERecord?id=CVE-2020-11709
http://www.cvedetails.com/cve/CVE-2023-26130/
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11709.html
https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495
https://github.com/yhirose/cpp-httplib/issues/425

Comment 1 Stoyan Manolov 2023-05-31 03:46:32 UTC

Tracking as Affected:

openSUSE:Factory / cpp-httplib
devel:libraries:c_c++ / cpp-httplib