GNOME libsoup
cpe:2.3:a:gnome:libsoup:*:*:*:*:*:*:*
A CRLF injection vulnerability has been identified in libsoup, specifically within the 'soup_message_new()' function. This issue allows remote attackers to inject arbitrary HTTP headers and request data by manipulating the method parameter. The vulnerability arises because the method value is not properly sanitized before being used to construct the request line, potentially leading to HTTP request injection.
Exploitation of this vulnerability allows for CRLF injection, which can be used to manipulate HTTP headers and request data. This could lead to header injection attacks or other forms of HTTP request manipulation.
The vulnerability can be reproduced by calling the 'soup_message_new()' function with a user-controlled method parameter that includes CRLF sequences. This will inject the specified headers into the HTTP request. The injection can be verified by checking the headers received by the server.
To address this vulnerability, it is recommended to sanitize or reject method values that contain invalid characters, including any whitespace. A patch has been proposed and is under review.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.