CRLF Injection Vulnerability in Proxmox Virtual Environment and Proxmox Mail Gateway
CVE-2022-35507

7.1HIGH

Key Information:

Vendor: Proxmox
Status: Proxmox Mail Gateway; Pve Http Server; Virtual Environment
Vendor: CVE Published:; 4 December 2022

What is CVE-2022-35507?

A CRLF injection vulnerability exists in the web interface of Proxmox Virtual Environment and Proxmox Mail Gateway. This flaw enables remote attackers to manipulate response headers, potentially allowing them to set excessively long cookies in a victim's browser. The vulnerability primarily affects Chromium-based browsers, as they permit such header injections using the %0d character. As a result, users may experience denial-of-service (DoS) conditions on their clients. This issue has been addressed in version 4.1-3 of the pve-http-server.

References

https://git.proxmox.com/?p=pve-http-server.git%3Ba=commit...

https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-...

EPSS Score

33% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2022
Vulnerability Reserved
Jul 11, 2022

JSON