Lucene search

[email protected]CVE-2016-4975

HistoryAug 14, 2018 - 12:29 p.m.

CVE-2016-4975

2018-08-1412:29:00

CWE-93

[email protected]

web.nvd.nist.gov

2709

cve-2016-4975

crlf injection

http response splitting

mod_userdir

apache http server 2.4.25

apache http server 2.2.32

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.7%

JSON

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the “Location” or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).

Affected configurations

NVD

Node

apachehttp_serverMatch2.2.0

apachehttp_serverMatch2.2.2

apachehttp_serverMatch2.2.3

apachehttp_serverMatch2.2.4

apachehttp_serverMatch2.2.6

apachehttp_serverMatch2.2.8

apachehttp_serverMatch2.2.9

apachehttp_serverMatch2.2.10

apachehttp_serverMatch2.2.11

apachehttp_serverMatch2.2.12

apachehttp_serverMatch2.2.13

apachehttp_serverMatch2.2.14

apachehttp_serverMatch2.2.15

apachehttp_serverMatch2.2.16

apachehttp_serverMatch2.2.17

apachehttp_serverMatch2.2.18

apachehttp_serverMatch2.2.19

apachehttp_serverMatch2.2.20

apachehttp_serverMatch2.2.21

apachehttp_serverMatch2.2.22

apachehttp_serverMatch2.2.23

apachehttp_serverMatch2.2.24

apachehttp_serverMatch2.2.25

apachehttp_serverMatch2.2.26

apachehttp_serverMatch2.2.27

apachehttp_serverMatch2.2.29

apachehttp_serverMatch2.2.31

apachehttp_serverMatch2.4.1

apachehttp_serverMatch2.4.2

apachehttp_serverMatch2.4.3

apachehttp_serverMatch2.4.4

apachehttp_serverMatch2.4.6

apachehttp_serverMatch2.4.7

apachehttp_serverMatch2.4.9

apachehttp_serverMatch2.4.10

apachehttp_serverMatch2.4.12

apachehttp_serverMatch2.4.16

apachehttp_serverMatch2.4.17

apachehttp_serverMatch2.4.18

apachehttp_serverMatch2.4.20

apachehttp_serverMatch2.4.23

CPENameOperatorVersion
apache:http_serverapache http servereq2.2.0
apache:http_serverapache http servereq2.2.2
apache:http_serverapache http servereq2.2.3
apache:http_serverapache http servereq2.2.4
apache:http_serverapache http servereq2.2.6
apache:http_serverapache http servereq2.2.8
apache:http_serverapache http servereq2.2.9
apache:http_serverapache http servereq2.2.10
apache:http_serverapache http servereq2.2.11
apache:http_serverapache http servereq2.2.12

CPE	Name	Operator	Version
apache:http_server	apache http server	eq	2.2.0
apache:http_server	apache http server	eq	2.2.2
apache:http_server	apache http server	eq	2.2.3
apache:http_server	apache http server	eq	2.2.4
apache:http_server	apache http server	eq	2.2.6
apache:http_server	apache http server	eq	2.2.8
apache:http_server	apache http server	eq	2.2.9
apache:http_server	apache http server	eq	2.2.10
apache:http_server	apache http server	eq	2.2.11
apache:http_server	apache http server	eq	2.2.12

Rows per page:

1-10 of 411

CNA Affected

[
  {
    "product": "Apache HTTP Server",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23)"
      },
      {
        "status": "affected",
        "version": "Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31)"
      }
    ]
  }
]

References

www.securityfocus.com/bid/105093

httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975

httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975

lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

security.netapp.com/advisory/ntap-20180926-0006/

support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.7%

JSON

Related for CVE-2016-4975

httpd2 f51 nuclei1 debiancve1 hackerone1 redhatcve1 veracode1 osv1 nvd1 cvelist1 openvas6 prion1 nessus16 ibm4 ubuntucve1 suse1 redhat4 centos1