CVE-2023-29530 — HIGH (7.5)

Q: How severe is CVE-2023-29530?

CVE-2023-29530 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-29530?

Check the references section above for vendor advisories and patch information. Affected products include: Getlaminas Laminas-Diactoros, Guzzlephp Psr-7, Fedoraproject Fedora.

Vulnerability Description

Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Getlaminas	Laminas-Diactoros	< 2.18.1
Guzzlephp	Psr-7	< 1.9.1
Fedoraproject	Fedora	38

Related Weaknesses (CWE)

CWE-20

References

https://github.com/advisories/GHSA-wxmh-65f7-jcvwNot Applicable
https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://github.com/advisories/GHSA-wxmh-65f7-jcvwNot Applicable
https://github.com/laminas/laminas-diactoros/security/advisories/GHSA-xv3h-4844-Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory

FAQ

What is CVE-2023-29530?

CVE-2023-29530 is a vulnerability with a CVSS score of 7.5 (HIGH). Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using...

How severe is CVE-2023-29530?

CVE-2023-29530 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-29530?

Check the references section above for vendor advisories and patch information. Affected products include: Getlaminas Laminas-Diactoros, Guzzlephp Psr-7, Fedoraproject Fedora.