CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Parent Weaknesses (ChildOf)
Related Weaknesses
Common Consequences
Scope
Impact
Modify Application Data
Potential Mitigations
Avoid using CRLF as a special sequence.
Appropriately filter or quote CRLF sequences in user-controlled input.
CVE-2002-1771CRLF injection enables spam proxy (add mail headers) using email address or name.
CVE-2002-1783CRLF injection in API function arguments modify headers for outgoing requests.
CVE-2004-1513Spoofed entries in web server log file via carriage returns
CVE-2006-4624Chain: inject fake log entries with fake timestamps using CRLF injection
CVE-2005-1951Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1687Chain: HTTP response splitting via CRLF in parameter related to URL.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now