Cisco Bug: CSCvs93297 - Cisco Umbrella Carriage Return Line Feed Injection Vulnerability
May 06, 2020
- Cisco Umbrella
Known Affected Releases
Symptom: A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user of an affected service. The vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to access a crafted URL. A successful exploit could allow the attacker to inject arbitrary HTTP headers into valid HTTP responses sent to the browser of the user. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-head-inject-n4QArJH Conditions: At the time of publication, this vulnerability affected Cisco Umbrella, which is cloud based. Cisco has addressed this vulnerability in Cisco Umbrella, which is cloud based. No user action is required. Customers can determine the current remediation status or software version by using the Help function in the service GUI. Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases