CVE-2024-5193

MEDIUM

Ritlabs TinyWeb Server <1.99 - CRLF Injection

Title source: llm

Description

A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. This vulnerability affects unknown code of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.99 is able to resolve this issue. The identifier of the patch is d49c3da6a97e950975b18626878f3ee1f082358e. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.

References (7)

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.265830

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.265830

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.333059

[Exploit] https://github.com/DMCERTCE/CRLF_Tiny

View Exploit ZIP pw:eip

[Patch] https://github.com/maximmasiutin/TinyWeb/commit/d49c3da6a97e950975b18626878f3ee1f082358e

View Patch ZIP pw:eip

[Release Notes] https://github.com/maximmasiutin/TinyWeb/releases/tag/v1.99

[Various Sources] https://www.masiutin.net/tinyweb-cve-2024-5193.html

Scores

CVSS v3 5.3

EPSS 0.0039

EPSS Percentile 60.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-93 CWE-74

Status published

Products (1)

ritlabs/tinyweb 1.94

Published May 22, 2024

Tracked Since Feb 18, 2026