CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Example Vulnerable Codes
Example - 1
If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.
logger.info("User's street address: " + request.getParameter("streetAddress"));Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Go to
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Go to
CWE-117: Improper Output Neutralization for Logs
Go to
CWE-144: Improper Neutralization of Line Delimiters
Go to
CWE-145: Improper Neutralization of Section Delimiters
Go to
Visit http://cwe.mitre.org/ for more details.