4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41114

GHSA ID

GHSA-m2jh-fxw4-gphm

EPSS Score

0.5198%

CWE

CWE-20

Published

10/5/2021

Updated

2/5/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41114

CVE-2021-41114: HTTP Host Header Injection

Problem

It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment.

This vulnerability is the same as described in TYPO3-CORE-SA-2014-001 (CVE-2014-3941). A regression, introduced during TYPO3 v11 development, led to this situation. The already existing setting $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] (used as an effective mitigation strategy in previous TYPO3 versions) was not evaluated anymore, and reintroduced the vulnerability.

Solution

Update your instance to TYPO3 version 11.5.0 which addresses the problem described.

Credits

Thanks to TYPO3 framework merger Benjamin Franzke who reported and fixed the issue.

References

TYPO3-CORE-SA-2021-015
CVE-2014-3941 reintroduced in TYPO3 v11.0.0

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41114

GHSA ID

GHSA-m2jh-fxw4-gphm

EPSS Score

0.5198%

CWE

CWE-20

Published

10/5/2021

Updated

2/5/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 11.0.0, < 11.5.0	11.5.0
typo3/cms	composer	>= 11.0.0, < 11.5.0	11.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a regression where the trustedHostsPattern validation was not executed. The commit diff shows the security check (GeneralUtility::isAllowedHostHeaderValue) was removed from determineHttpHost, which handles Host header normalization. This omission in versions 11.0.0-11.4.0 left the system without proper Host header validation. The fix reintroduced validation via middleware, confirming this was the missing safeguard.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### M*t* * *VSS: `*VSS:*.*/*V:N/**:*/PR:N/UI:N/S:U/*:N/I:L/*:N/*:*/RL:O/R*:*` (*.*) ### Pro*l*m It **s ***n *is*ov*r** t**t TYPO* *MS is sus**pti*l* to *ost spoo*in* *u* to improp*r v*li**tion o* t** *TTP _*ost_ *****r. TYPO* us*s t** *TTP _*ost_ **

Reasoning

T** vuln*r**ility st*ms *rom * r**r*ssion w**r* t** trust***ostsP*tt*rn v*li**tion w*s not *x**ut**. T** *ommit *i** s*ows t** s**urity ****k (`**n*r*lUtility::is*llow***ost*****rV*lu*`) w*s r*mov** *rom `**t*rmin**ttp*ost`, w*i** **n*l*s *ost *****r

4.8

Basic Information

Concerned about an active attack path?

CVE-2021-41114: HTTP Host Header Injection

Meta

Problem

Solution

Credits

References

4.8

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Detect and Respond To Threats Faster.

4.8

Basic Information

Concerned about an active attack path?

CVE-2021-41114: HTTP Host Header Injection

Meta

Problem

Solution

Credits

References

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI