CVE-2022-42471
03.01.2023, 17:15
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attackerto inject arbitrary headers.| Vendor | Product | Version |
|---|---|---|
| fortinet | fortiweb | 6.3.6 ≤ 𝑥 ≤ 6.3.21 |
| fortinet | fortiweb | 6.4.0 |
| fortinet | fortiweb | 6.4.1 |
| fortinet | fortiweb | 6.4.2 |
| fortinet | fortiweb | 7.0.0 |
| fortinet | fortiweb | 7.0.1 |
| fortinet | fortiweb | 7.0.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.