Published:2021/07/09  Last Updated:2021/07/09

JVN#68971465
voidtools "Everything" vulnerable to HTTP header injection

Overview

Everything provided by voidtools contains an HTTP header injection vulnerability.

Products Affected

  • Everything all versions except the Lite version
According to the developer, the Lite version does not include the HTTP server and therefore is not affected by this vulnerability.

Description

The HTTP server of Everything provided by voidtools contains an HTTP header injection vulnerability (CWE-644).

Impact

On the web browser of a user who accessed a website which uses the product, an arbitrary script may be executed or the displayed page may be altered.

Solution

Use Everything Lite version
The developer recommends using the Everything Lite version, which does not include the HTTP server that may be affected by this vulnerability.
Also according to the developer, the HTTP server will be available only in plug-in format in the future.

Vendor Status

Vendor Link
voidtools Download Everything
Home Everything

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score: 6.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:N
Base Score: 5.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20784
JVN iPedia JVNDB-2021-000067