CVE-2026-43969

Gravedad CVSS v4.0:

BAJA

Tipo:

CWE-93 Neutralización incorrecta de secuencias de retornos de carro y saltos de linea (CRLF)

Fecha de publicación:

11/05/2026

Última modificación:

11/05/2026

Descripción

*** Pendiente de traducción *** Improper Neutralization of CRLF Sequences (&#39;CRLF Injection&#39;) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.<br /> <br /> cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.<br /> <br /> This issue affects cowlib from 2.9.0.

Impacto

Vector 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS v4.0 Severidad y Métricas:

Puntuación base: 2.10 BAJA
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Vector de acceso (AV): Local
Complejidad de acceso (AC): Bajo
Attack Requirements (AT): Present
Privilegios Requeridos (PR): Ninguno
Interacción del usuario (UI): Ninguno
Confidentiality (VC): Ninguno
Integrity (VI): Bajo
Availability (VA): Ninguno
Confidentiality (SC): Ninguno
Integrity (SI): Bajo
Availability (SA): Ninguno

Puntuación base 4.0

2.10

Gravedad 4.0

BAJA

CVE-2026-43969

Descripción

Impacto

Referencias a soluciones, herramientas e información