CVE-2013-3373Code Injection in Request-tracker4

CWE-94Code Injection4 documents4 sources
Severity
5.0MEDIUMNVD
EPSS
0.5%
top 34.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Request-tracker4Bestpractical RT
Timeline
PublishedAug 23
Latest updateMay 17

Description

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

debiandebian/request-tracker4< request-tracker4 4.0.12-2 (bookworm)
NVDbestpractical/rt30 versions+29

Patches

Patch: lists.bestpractical.comPatch: lists.bestpractical.comPatch: lists.bestpractical.com

🔴Vulnerability Details

2
GHSA
GHSA-22c6-pmf5-543m: CRLF injection vulnerability in Request Tracker (RT) 32022-05-17
OSV
CVE-2013-3373: CRLF injection vulnerability in Request Tracker (RT) 32013-08-23

📋Vendor Advisories

1
Debian
CVE-2013-3373: request-tracker4 - CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0...2013
CVE-2013-3373 — Code Injection in Request-tracker4 | cvebase