Skip to main content

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVE-2017-7528

Severity Medium
Score 6.5/10

Summary

Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).

  • LOW
  • ADJACENT_NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References

Advisory Timeline

  • Published