CVE-2021-20802

Vulnerability

An HTTP header injection vulnerability exists in Cybozu Remote Service versions 3.1.8 to 3.1.9 [1][2]. The vulnerability is identified as CyVDB-1814 and allows an attacker to inject arbitrary HTTP headers into responses, potentially leading to the alteration of information stored in the product [1][2].

Exploitation

To exploit this vulnerability, an attacker must have low-level privileges (i.e., be authenticated with basic access rights) and network access to the affected service [2]. The attack complexity is low and no user interaction is required [2]. The attacker sends crafted input that results in HTTP header injection, modifying stored data [1][2].

Impact

Successful exploitation allows the attacker to alter information stored in the product, compromising the integrity of the data [1]. The impact is limited to integrity with no effect on confidentiality or availability, and the scope of impact remains within the vulnerable component [2]. The CVSS v3 base score is 4.3 (Medium) [2].

Mitigation

Cybozu has addressed this vulnerability in version 4.0.0 of Cybozu Remote Service, released on or before 2021-09-29 [2]. Users should upgrade to version 4.0.0 or later. No workaround is provided, and older versions (3.1.8 and 3.1.9) are no longer supported for fixes [2].