What is the severity of CVE-2022-3215?

CVE-2022-3215 has a severity level of 7.5, which is considered high.

Which software is affected by CVE-2022-3215?

CVE-2022-3215 affects Apple Swiftnio versions up to 2.29.1, versions between 2.30.0 and 2.39.1, and versions between 2.40.0 and 2.42.0.

How can I fix CVE-2022-3215?

To fix CVE-2022-3215, it is recommended to update your Apple Swiftnio software to a version higher than 2.42.0.

Vulnerability/
CVE-2022-3215

high

7.5

CWE

74 113 79

28/9/2022

3/8/2024

CVE-2022-3215: XSS

Q: What is CVE-2022-3215?

CVE-2022-3215 is a vulnerability that affects NIOHTTP1 and projects using it for generating HTTP responses. It allows for HTTP Response Injection attacks.

Q: How does CVE-2022-3215 work?

CVE-2022-3215 occurs when a HTTP/1.1 server accepts user-generated input from an incoming request and reflects it into a HTTP/1.1 response header, allowing for HTTP Response Injection.

First published: Wed Sep 28 2022(Updated: )

NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and "inject" those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws. This issue was resolved by adding validation to the HTTPHeaders type, ensuring that there's no whitespace incorrectly present in the HTTP headers provided by users. As the existing API surface is non-failable, all invalid characters are replaced by linear whitespace.

Credit: cve@forums.swift.org

Affected Software	Affected Version	How to fix
Apple Swiftnio	<2.29.1
Apple Swiftnio	>=2.30.0<2.39.1
Apple Swiftnio	>=2.40.0<2.42.0

Never miss a vulnerability like this again

Reference Links

https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f

Frequently Asked Questions

What is CVE-2022-3215?
CVE-2022-3215 is a vulnerability that affects NIOHTTP1 and projects using it for generating HTTP responses. It allows for HTTP Response Injection attacks.
What is the severity of CVE-2022-3215?
CVE-2022-3215 has a severity level of 7.5, which is considered high.
How does CVE-2022-3215 work?
CVE-2022-3215 occurs when a HTTP/1.1 server accepts user-generated input from an incoming request and reflects it into a HTTP/1.1 response header, allowing for HTTP Response Injection.
Which software is affected by CVE-2022-3215?
CVE-2022-3215 affects Apple Swiftnio versions up to 2.29.1, versions between 2.30.0 and 2.39.1, and versions between 2.40.0 and 2.42.0.
How can I fix CVE-2022-3215?
To fix CVE-2022-3215, it is recommended to update your Apple Swiftnio software to a version higher than 2.42.0.

collector/nvd-index
agent/author
agent/severity
agent/references
agent/tags
agent/description
agent/event
agent/weakness
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
vendor/apple
canonical/apple swiftnio
version/apple swiftnio/2.30.0
version/apple swiftnio/2.40.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.