Pluto's http.request allows CR and LF in header values

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

对CRLF序列的转义处理不恰当(CRLF注入)

Pluto 注入漏洞

Pluto是PlutoLang开源的一种 Lua 的独特语言。用于通用编程。 Pluto 0.9.0至0.9.4版本存在注入漏洞，该漏洞源于将用户控制的值传递给http.request标头值的脚本会受到影响，从而攻击者可发送任意请求，并潜在地利用同一标头表中提供的身份验证令牌。

N/A

N/A