CVE-2022-35507 is a response-header CRLF (Carriage Return Line Feed) injection vulnerability affecting the web interfaces of Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG). This vulnerability allows a remote attacker to inject crafted response headers by exploiting the handling of newline characters (%0d) in Chromium-based browsers. Specifically, the attacker can manipulate the server's response to set cookies longer than the server expects. This abnormal cookie length can cause a client-side denial of service (DoS) by disrupting normal browser behavior when processing these headers. The vulnerability arises because the web interface does not properly sanitize or validate input that is reflected in HTTP response headers, leading to injection of unintended CRLF sequences. The issue is classified under CWE-74 (Improper Neutralization of CRLF Sequences in HTTP Headers). The vulnerability does not impact confidentiality or availability of the server directly but affects the client-side browser's ability to process responses correctly. It requires no authentication but does require user interaction in the form of the victim visiting a maliciously crafted URL or web page that triggers the injection. The vulnerability is fixed in pve-http-server version 4.1-3. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited impact (client-side DoS) and the requirement for user interaction. No known exploits are reported in the wild as of the published date (December 2022).

For European organizations using Proxmox Virtual Environment or Proxmox Mail Gateway, this vulnerability primarily poses a risk to end users' browsers rather than the server infrastructure itself. The client-side DoS can disrupt administrative or user access to the web interfaces, potentially causing temporary loss of management capabilities or mail gateway monitoring. While this does not compromise data confidentiality or server integrity, it can degrade operational efficiency and user experience. In environments where Proxmox is used for critical virtualization infrastructure or mail security, repeated or targeted exploitation could lead to denial of service conditions for administrators or security personnel, delaying response to other incidents. Additionally, the vulnerability could be leveraged as part of a broader attack chain, for example, to facilitate phishing or session fixation attacks by manipulating cookies, although this is not explicitly stated. Given the reliance on Chromium-based browsers in many organizations, the attack surface is significant. However, the lack of known exploits and the medium severity rating indicate a moderate risk level. Organizations with high availability requirements or sensitive operational environments should prioritize remediation to avoid potential disruptions.

Upgrade the pve-http-server component to version 4.1-3 or later, where the vulnerability is fixed. Implement strict input validation and sanitization on all user-supplied data that can be reflected in HTTP response headers to prevent CRLF injection. Configure web application firewalls (WAFs) to detect and block unusual or malformed HTTP headers that contain CRLF sequences or excessively long cookies. Educate users and administrators to avoid clicking on suspicious links or visiting untrusted web pages that could trigger the injection. Monitor browser and server logs for unusual cookie sizes or repeated client-side errors indicative of attempted exploitation. Consider deploying browser security policies such as Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) to reduce the risk of exploitation via malicious web content. In environments where immediate patching is not feasible, restrict access to the Proxmox web interfaces to trusted networks or VPNs to reduce exposure to remote attackers.