CVE-2023-30536 – slim/psr7

Package

Manager: composer
Name: slim/psr7
Vulnerable Version: >=1.6 <1.6.1 || >=1.5 <1.5.1 || >=0 <1.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0011 pctl0.30022

Details

Insecure header validation in slim/psr7 ### Impact An attacker could sneak in a newline (`\n`) into both the header names and values. While the specification states that `\r\n\r\n` is used to terminate the header list, many servers in the wild will also accept `\n\n`. An attacker that is able to control the header names that are passed to Slilm-Psr7 would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests. ### Patches The issue is patched in 1.6.1, 1.5.1, and 1.4.1. ### Workarounds In Slim-Psr7 prior to 1.6.1, 1.5.1, and 1.4.1, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader(). ### Acknowledgments We are very grateful to and thank <a href="https://gjcampbell.co.uk/">Graham Campbell</a> for reporting and working with us on this issue. ### References * Guzzle: CVE-2023-29197, with advisory GHSA-wxmh-65f7-jcvw * Laminas Diactoros: CVE-2023-29530, with advisory GHSA-xv3h-4844-9h36 * https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Metadata

Created: 2023-04-18T22:20:42Z
Modified: 2023-05-22T14:38:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-q2qj-628g-vhfw/GHSA-q2qj-628g-vhfw.json
CWE IDs: ["CWE-436"]
Alternative ID: GHSA-q2qj-628g-vhfw
Finding: F184
Auto approve: 1