WARNING: CRLF INJECTION IN REFIT LIBRARY .NET CORE, XAMARIN AND .NET PATCH IMMEDIATELY!
CVE-2024-51501: CVSS 10.0(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Sources
NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-51501
Risques
The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection, eventually leading to gaining unauthorized access to internal systems or services.
Description
Refit versions prior to 7.2.22 and 8.0.0 are vulnerable to CRLF injection via header-related attributes. Attackers can inject additional HTTP headers or smuggle requests, enabling request splitting and Server-Side Request Forgery (SSRF) in web applications.
If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection.
Actions recommandées
This issue has been addressed in release versions 7.2.22 and 8.0.0 and all users are advised to upgrade.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Références
Snyk Security - https://security.snyk.io/vuln/SNYK-DOTNET-REFIT-8344796