Miggo Logo

CVE-2021-41114: HTTP Host Header Injection

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.5198%
Published
10/5/2021
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 11.0.0, < 11.5.011.5.0
typo3/cmscomposer>= 11.0.0, < 11.5.011.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a regression where the trustedHostsPattern validation was not executed. The commit diff shows the security check (GeneralUtility::isAllowedHostHeaderValue) was removed from determineHttpHost, which handles Host header normalization. This omission in versions 11.0.0-11.4.0 left the system without proper Host header validation. The fix reintroduced validation via middleware, confirming this was the missing safeguard.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### M*t* * *VSS: `*VSS:*.*/*V:N/**:*/PR:N/UI:N/S:U/*:N/I:L/*:N/*:*/RL:O/R*:*` (*.*) ### Pro*l*m It **s ***n *is*ov*r** t**t TYPO* *MS is sus**pti*l* to *ost spoo*in* *u* to improp*r v*li**tion o* t** *TTP _*ost_ *****r. TYPO* us*s t** *TTP _*ost_ **

Reasoning

T** vuln*r**ility st*ms *rom * r**r*ssion w**r* t** trust***ostsP*tt*rn v*li**tion w*s not *x**ut**. T** *ommit *i** s*ows t** s**urity ****k (`**n*r*lUtility::is*llow***ost*****rV*lu*`) w*s r*mov** *rom `**t*rmin**ttp*ost`, w*i** **n*l*s *ost *****r