Sign-up

ID

VAR-202301-1573


CVE

CVE-2022-3918


TITLE

Swift Foundation  Injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-007831

DESCRIPTION

A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http://example.com/ with the GET method. Suppose we set the URLRequest header "Foo" to the value "Bar Extra-Header: Added GET /other HTTP/1.1". When this request is sent, it will appear to the server as two requests: GET / HTTP/1.1 Foo: Bar Extra-Header: Added GET /other HTTP/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below. Swift Foundation There is an injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. However,..

Trust: 1.8

sources: NVD: CVE-2022-3918 // JVNDB: JVNDB-2022-007831 // VULHUB: VHN-434962 // VULMON: CVE-2022-3918

AFFECTED PRODUCTS

vendor:applemodel:swift foundationscope:ltversion:5.7.3

Trust: 1.0

vendor:アップルmodel:swift foundationscope:eqversion: -

Trust: 0.8

vendor:アップルmodel:swift foundationscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-007831 // NVD: CVE-2022-3918

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-3918
value: HIGH

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2022-3918
value: HIGH

Trust: 1.0

NVD: CVE-2022-3918
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202301-1583
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-3918
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2022-3918
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-007831 // CNNVD: CNNVD-202301-1583 // NVD: CVE-2022-3918 // NVD: CVE-2022-3918

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.1

problemtype:injection (CWE-74) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-434962 // JVNDB: JVNDB-2022-007831 // NVD: CVE-2022-3918

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202301-1583

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202301-1583

PATCH

title:CRLF injection vulnerability in swift-corelibs-foundationurl:https://github.com/apple/swift-corelibs-foundation/security/advisories/GHSA-4pp3-mpf2-rj63

Trust: 0.8

title:swift-corelibs-foundation Repair measures for injecting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=223693

Trust: 0.6

sources: JVNDB: JVNDB-2022-007831 // CNNVD: CNNVD-202301-1583

EXTERNAL IDS

db:NVDid:CVE-2022-3918

Trust: 3.4

db:JVNDBid:JVNDB-2022-007831

Trust: 0.8

db:CNNVDid:CNNVD-202301-1583

Trust: 0.6

db:VULHUBid:VHN-434962

Trust: 0.1

db:VULMONid:CVE-2022-3918

Trust: 0.1

sources: VULHUB: VHN-434962 // VULMON: CVE-2022-3918 // JVNDB: JVNDB-2022-007831 // CNNVD: CNNVD-202301-1583 // NVD: CVE-2022-3918

REFERENCES

url:https://github.com/apple/swift-corelibs-foundation/security/advisories/ghsa-4pp3-mpf2-rj63

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-3918

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-3918/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-434962 // VULMON: CVE-2022-3918 // JVNDB: JVNDB-2022-007831 // CNNVD: CNNVD-202301-1583 // NVD: CVE-2022-3918

SOURCES

db:VULHUBid:VHN-434962
db:VULMONid:CVE-2022-3918
db:JVNDBid:JVNDB-2022-007831
db:CNNVDid:CNNVD-202301-1583
db:NVDid:CVE-2022-3918

LAST UPDATE DATE

2025-04-02T23:22:59.084000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-434962date:2023-02-02T00:00:00
db:VULMONid:CVE-2022-3918date:2023-01-23T00:00:00
db:JVNDBid:JVNDB-2022-007831date:2023-07-21T02:58:00
db:CNNVDid:CNNVD-202301-1583date:2023-02-03T00:00:00
db:NVDid:CVE-2022-3918date:2025-04-02T16:15:21.630

SOURCES RELEASE DATE

db:VULHUBid:VHN-434962date:2023-01-20T00:00:00
db:VULMONid:CVE-2022-3918date:2023-01-20T00:00:00
db:JVNDBid:JVNDB-2022-007831date:2023-07-21T00:00:00
db:CNNVDid:CNNVD-202301-1583date:2023-01-20T00:00:00
db:NVDid:CVE-2022-3918date:2023-01-20T20:15:10.617