Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2002-1405 — CRLF Injection in Lynx

7 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

13.1%

top 5.86%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

University OF Kansas Lynx Debian Lynx Elinks +1 more

Timeline

PublishedFeb 19

Latest updateMay 3

Description

CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶debiandebian/lynx< lynx 2.8.4.1b-4 (bookworm)

▶Debianuniversity_of_kansas/lynx< 2.8.4.1b-4+3

▶NVDuniversity_of_kansas/lynx6 versions+5

▶NVDlinks/links0.96

▶NVDelinks/elinks0.2.4, 0.3.2+1

Patches

Patch: www.debian.org ↗Patch: www.iss.net ↗Patch: www.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-27fc-4jc3-pjvm: CRLF injection vulnerability in Lynx 2↗2022-05-03

▶

OSV

CVE-2002-1405: CRLF injection vulnerability in Lynx 2↗2003-02-19

▶

💥Exploits & PoCs

Exploit-DB

Lynx 2.8.x - Command Line URL CRLF Injection↗2002-08-19

▶

📋Vendor Advisories

Red Hat

security flaw↗2002-08-19

▶

Debian

CVE-2002-1405: lynx - CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers t...↗2002

▶

💬Community

Bugzilla

CVE-2002-1405 security flaw↗2018-08-16

▶