目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类漏洞列表 120

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类弱点 120 条 CVE 漏洞汇总,含 AI 中文分析。

CRLF注入是一种输入验证缺陷,指程序未正确过滤用户输入中的回车换行符。攻击者利用此漏洞注入恶意CRLF序列,篡改HTTP响应头或伪造日志,进而实施会话劫持、跨站脚本或缓存投毒。开发者应严格对用户输入进行白名单验证,确保仅包含合法字符,并在使用输入前自动转义或移除CRLF序列,以阻断注入路径。

MITRE CWE 官方描述
CWE:CWE-93 CRLF序列(CRLF Injection)的不当中和 英文:产品将CRLF(回车换行符)作为特殊元素使用,例如用于分隔行或记录,但未对输入中的CRLF序列进行中和,或中和不当。
常见影响 (1)
IntegrityModify Application Data
缓解措施 (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
代码示例 (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE ID标题CVSS风险等级Published
CVE-2025-25184 Rack 安全漏洞 — rack 4.3 -2025-02-12
CVE-2024-48868 QNAP Systems QTS和QuTS hero 安全漏洞 — QTS 5.3 -2024-12-06
CVE-2024-48867 QNAP Systems QTS和QuTS hero 安全漏洞 — QTS 5.3 -2024-12-06
CVE-2024-51501 Refit 注入漏洞 — refit 6.5AIMediumAI2024-11-04
CVE-2024-7472 Lunary 安全漏洞 — lunary-ai/lunary 5.3AIMediumAI2024-10-29
CVE-2024-45597 Pluto 注入漏洞 — Pluto 5.3 Medium2024-09-10
CVE-2024-45302 RestSharp 安全漏洞 — RestSharp 6.1 Medium2024-08-29
CVE-2024-5193 编号已被CVE保留 — TinyWeb Server 5.3 Medium2024-05-22
CVE-2024-1226 Rejetto Http File Server 注入漏洞 — Http File Server 7.5 High2024-03-12
CVE-2024-20337 Cisco Secure Client 安全漏洞 — Cisco Secure Client 8.2 High2024-03-06
CVE-2023-49082 aiohttp 注入漏洞 — aiohttp 5.3 Medium2023-11-29
CVE-2023-4768 ZOHO ManageEngine Desktop Central 注入漏洞 — Desktop Central 6.1 Medium2023-11-03
CVE-2023-4767 ZOHO ManageEngine Desktop Central 注入漏洞 — Desktop Central 6.1 Medium2023-11-03
CVE-2023-26148 libhv 注入漏洞 — ithewei/libhv 5.4 Medium2023-09-29
CVE-2023-26138 Drogon 注入漏洞 — drogonframework/drogon 5.4 Medium2023-07-06
CVE-2023-26130 cpp-httplib 注入漏洞 — yhirose/cpp-httplib 7.5 High2023-05-30
CVE-2023-23936 undici 注入漏洞 — undici 6.5 Medium2023-02-16
CVE-2023-0040 Async 注入漏洞 — Async HTTP Client 7.5 -2023-01-18
CVE-2022-35948 undici 注入漏洞 — undici 5.3 Medium2022-08-13
CVE-2022-31150 undici 注入漏洞 — undici 5.3 Medium2022-07-19
CVE-2022-0666 Microweber 注入漏洞 — microweber/microweber 6.5 -2022-02-18
CVE-2021-4097 phpservermon 注入漏洞 — phpservermon/phpservermon 5.4 -2021-12-11
CVE-2021-39172 Cachet 注入漏洞 — Cachet 8.8 High2021-08-27
CVE-2021-31164 Apache Unomi 注入漏洞 — Apache Unomi 9.1 -2021-05-04
CVE-2020-3561 Cisco Adaptive Security Appliances Software 注入漏洞 — Cisco Adaptive Security Appliance (ASA) Software 6.1 -2020-10-21
CVE-2020-11078 httplib2 注入漏洞 — httplib2 6.8 Medium2020-05-20
CVE-2020-3246 Cisco Umbrella 注入漏洞 — Cisco Umbrella 4.3 -2020-05-06
CVE-2019-15616 Nextcloud Server 注入漏洞 — Nextcloud Server 6.5 -2020-02-04
CVE-2018-12477 Open Build Service 安全漏洞 — Open Build Service 6.5 -2018-10-09
CVE-2018-12537 Eclipse Vert.x 安全漏洞 — Eclipse Vert.x 5.3 -2018-08-14

CWE-93(对CRLF序列的转义处理不恰当(CRLF注入)) 是常见的弱点类别,本平台收录该类弱点关联的 120 条 CVE 漏洞。