CVE-2024-5193

A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. This vulnerability affects unknown code of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.99 is able to resolve this issue. The identifier of the patch is d49c3da6a97e950975b18626878f3ee1f082358e. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/DMCERTCE/CRLF_Tiny	Exploit
https://github.com/maximmasiutin/TinyWeb/commit/d49c3da6a97e950975b18626878f3ee1f082358e
https://github.com/maximmasiutin/TinyWeb/releases/tag/v1.99
https://vuldb.com/?ctiid.265830	Permissions Required VDB Entry
https://vuldb.com/?id.265830	Third Party Advisory VDB Entry
https://vuldb.com/?submit.333059	Third Party Advisory VDB Entry
https://www.masiutin.net/tinyweb-cve-2024-5193.html
https://github.com/DMCERTCE/CRLF_Tiny	Exploit
https://vuldb.com/?ctiid.265830	Permissions Required VDB Entry
https://vuldb.com/?id.265830	Third Party Advisory VDB Entry
https://vuldb.com/?submit.333059	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:ritlabs:tinyweb:1.94:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-05-22 11:15

Updated : 2026-01-05 19:15

NVD link : CVE-2024-5193

Mitre link : CVE-2024-5193

CVE.ORG link : CVE-2024-5193

JSON object : View

Products Affected

ritlabs

tinyweb

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

{"id": "CVE-2024-5193", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-05-22T11:15:53.487", "references": [{"url": "https://github.com/DMCERTCE/CRLF_Tiny", "tags": ["Exploit"], "source": "cna@vuldb.com"}, {"url": "https://github.com/maximmasiutin/TinyWeb/commit/d49c3da6a97e950975b18626878f3ee1f082358e", "source": "cna@vuldb.com"}, {"url": "https://github.com/maximmasiutin/TinyWeb/releases/tag/v1.99", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.265830", "tags": ["Permissions Required", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.265830", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.333059", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://www.masiutin.net/tinyweb-cve-2024-5193.html", "source": "cna@vuldb.com"}, {"url": "https://github.com/DMCERTCE/CRLF_Tiny", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://vuldb.com/?ctiid.265830", "tags": ["Permissions Required", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://vuldb.com/?id.265830", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://vuldb.com/?submit.333059", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. This vulnerability affects unknown code of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.99 is able to resolve this issue. The identifier of the patch is d49c3da6a97e950975b18626878f3ee1f082358e. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Ritlabs TinyWeb Server 1.94. Ha sido clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del componente Request Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n con la entrada %0D%0A conduce a la inyecci\u00f3n crlf. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-265830 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "lastModified": "2026-01-05T19:15:55.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ritlabs:tinyweb:1.94:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45D37E23-FA98-4094-B4FB-495C102613DA"}], "operator": "OR"}]}], "sourceIdentifier": "cna@vuldb.com"}