JVN#68971465
voidtools "Everything" vulnerable to HTTP header injection
Overview
Everything provided by voidtools contains an HTTP header injection vulnerability.
Products Affected
- Everything all versions of 1.0 (Everything 1.0 series)
- Everything all versions of 1.1 (Everything 1.1 series)
- Everything all versions of 1.2 (Everything 1.2 series)
Description
The HTTP server of Everything provided by voidtools contains an HTTP header injection vulnerability (CWE-644).
Impact
On the web browser of a user who accessed a website which uses the product, an arbitrary script may be executed or the displayed page may be altered.
Solution
Update the application
Update the application to the latest version according to the information provided by the developer.
Use Everything Lite version
The developer recommends using Everything Lite version, if there is no need to use the HTTP server.
Vendor Status
Vendor | Link |
voidtools | Download Everything |
Home Everything |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
---|---|---|---|
Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
Authentication(Au) | Multiple (M) | Single (S) | None (N) |
Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2021-20784 |
JVN iPedia |
JVNDB-2021-000067 |
Update History
- 2022/10/26
- Updated information under the sections [Products Affected] and [Solution]