Lucene search

[email protected]CVE-2024-1226

HistoryMar 12, 2024 - 3:15 p.m.

CVE-2024-1226

2024-03-1215:15:47

CWE-93

[email protected]

web.nvd.nist.gov

software vulnerability

http header injection

web security

cross-site scripting

cache poisoning

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.

Affected configurations

Vulners

Node

rejettohttp_file_serverRange≤2.2a, build #124

VendorProductVersionCPE
rejettohttp_file_server*cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rejetto	http_file_server	*	cpe:2.3:a:rejetto:http_file_server::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Http File Server ",
    "vendor": "Rejetto ",
    "versions": [
      {
        "status": "affected",
        "version": "2.2a, build #124"
      }
    ]
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-1226

prion1 cvelist1 nvd1