{"@ID": "93", "@Name": "Improper Neutralization of CRLF Sequences ('CRLF Injection')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-93-Diagram.png", "Description": "The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "74", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "117", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}}, "Common_Consequences": {"Consequence": {"Scope": "Integrity", "Impact": "Modify Application Data"}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Implementation", "Description": "Avoid using CRLF as a special sequence."}, {"Phase": "Implementation", "Description": "Appropriately filter or quote CRLF sequences in user-controlled input."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-224", "Intro_Text": "The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.", "Example_Code": [{"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null], "#text": "String author = request.getParameter(AUTHOR_PARAM);...Cookie cookie = new Cookie(\"author\", author);cookie.setMaxAge(cookieExpiration);response.addCookie(cookie);"}}, {"@Nature": "Result", "xhtml:div": {"xhtml:br": [null, null, null], "#text": "HTTP/1.1 200 OK...Set-Cookie: author=Jane Smith..."}}, {"@Nature": "Attack", "xhtml:div": "Wiley Hacker\\r\\nHTTP/1.1 200 OK\\r\\n"}, {"@Nature": "Result", "xhtml:div": {"xhtml:br": [null, null, null, null], "#text": "HTTP/1.1 200 OK...Set-Cookie: author=Wiley HackerHTTP/1.1 200 OK..."}}], "Body_Text": ["Assuming a string consisting of standard alpha-numeric characters, such as \"Jane Smith\", is submitted in the request the HTTP response including this cookie might take the following form:", "However, because the value of the cookie is composed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as", "then the HTTP response would be split into two responses of the following form:", "The second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability to construct arbitrary HTTP responses permits a variety of resulting attacks, including:", {"xhtml:ul": {"xhtml:li": [{"xhtml:div": "cross-user defacement"}, {"xhtml:div": "web and browser cache poisoning"}, {"xhtml:div": "cross-site scripting"}, {"xhtml:div": "page hijacking"}]}}]}, {"@Demonstrative_Example_ID": "DX-236", "Intro_Text": "The following code is a workflow job written\n\t      using YAML. The code attempts to download pull request\n\t      artifacts, unzip from the artifact called pr.zip and\n\t      extract the value of the file NR into a variable\n\t      \"pr_number\" that will be used later in another job.  It\n\t      attempts to create a github workflow environment\n\t      variable, writing to $GITHUB_ENV. The environment\n\t      variable value is retrieved from an external\n\t      resource.", "Example_Code": [{"@Nature": "Bad", "@Language": "Other", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "#text": "owner: context.repo.owner,\n\t\t\t    repo: context.repo.repo,\n\t\t\t    run_id: ${{ github.event.workflow_run.id }},"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "return artifact.name == \"pr\""}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "#text": "owner: context.repo.owner,\n\t\t\t    repo: context.repo.repo,\n\t\t\t    artifact_id: matchPrArtifact.id,\n\t\t\t    archive_format: 'zip',"}], "#text": "var artifacts = await github.actions.listWorkflowRunArtifacts({\n\t\t\t  \n\t\t\t  });\n\t\t\t  var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => {\n\t\t\t  \n\t\t\t  })[0];\n\t\t\t  var downloadPr = await github.actions.downloadArtifact({\n\t\t\t  \n\t\t\t  });\n\t\t\t  var fs = require('fs');\n\t\t\t  fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));"}, "#text": "script: |"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "unzip pr.zip\n\t\t\techo \"pr_number=$(cat NR)\" >> $GITHUB_ENV"}], "#text": "- name: 'Download artifact'\n\t\t      uses: actions/github-script\n\t\t      with:\n\t\t      \n\t\t      - run: |"}, "#text": "runs-on: ubuntu-latest\n\t\t    steps:"}, "#text": "deploy:"}, "#text": "name: Deploy Preview\n\t\tjobs:"}, {"@Nature": "Attack", "#text": "\\nNODE_OPTIONS=\"--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//\""}, {"@Nature": "Good", "@Language": "Other", "#text": "The code could be modified to validate that the NR\n\t\tfile only contains a numeric value, or the code could\n\t\tretrieve the PR number from a more trusted source."}], "Body_Text": [{"xhtml:p": ["The code does not neutralize the value of the file NR, which is attacker controlled because\n\t      it originates from a pull request that produced pr.zip.", "The attacker could escape the existing\n\t      pr_number and create a new variable using a \"\\n\"\n\t      (CWE-93) followed by any environment variable to be\n\t      added such as:"]}, {"xhtml:p": "This would result in injecting and running\n\t      javascript code (CWE-94) on the workflow runner with\n\t      elevated privileges."}]}, {"Intro_Text": "If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": "logger.info(\"User's street address: \" + request.getParameter(\"streetAddress\"));"}}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2002-1771", "Description": "CRLF injection enables spam proxy (add mail headers) using email address or name.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1771"}, {"Reference": "CVE-2002-1783", "Description": "CRLF injection in API function arguments modify headers for outgoing requests.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1783"}, {"Reference": "CVE-2004-1513", "Description": "Spoofed entries in web server log file via carriage returns", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-1513"}, {"Reference": "CVE-2006-4624", "Description": "Chain: inject fake log entries with fake timestamps using CRLF injection", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-4624"}, {"Reference": "CVE-2005-1951", "Description": "Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1951"}, {"Reference": "CVE-2004-1687", "Description": "Chain: HTTP response splitting via CRLF in parameter related to URL.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-1687"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "CRLF Injection"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A2", "Entry_Name": "Injection Flaws", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "WASC", "Entry_ID": "24", "Entry_Name": "HTTP Request Splitting"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP24", "Entry_Name": "Tainted input to command"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "15"}, {"@CAPEC_ID": "81"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-928"}, {"@External_Reference_ID": "REF-1456"}, {"@External_Reference_ID": "REF-1457"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Sean Eidemiller", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated demonstrative examples"}, {"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-12-28", "Modification_Version": "1.7", "Modification_ReleaseDate": "2009-12-28", "Modification_Comment": "updated Likelihood_of_Exploit"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Related_Attack_Patterns, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Description, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Research_Gaps"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-11-19", "Modification_Version": "4.16", "Modification_ReleaseDate": "2024-11-19", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Diagram, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Demonstrative_Examples, Relationships"}], "Previous_Entry_Name": [{"@Date": "2008-04-11", "#text": "CRLF Injection"}, {"@Date": "2009-05-27", "#text": "Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')"}, {"@Date": "2010-06-21", "#text": "Failure to Sanitize CRLF Sequences ('CRLF Injection')"}]}}
