CVE-2016-4993

Опубликовано: 08 сент. 2016

Источник: redhat

CVSS3: 5.4

CVSS2: 5.8

EPSS Низкий

Описание

CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

It was reported that EAP 7 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 6	tomcat6	Not affected
Red Hat Enterprise Linux 7	tomcat	Not affected
Red Hat JBoss Enterprise Application Platform 6	jbossweb	Not affected
Red Hat JBoss Enterprise Web Server 1	wildfly	Affected
Red Hat JBoss Enterprise Web Server 2	tomcat6	Not affected
Red Hat JBoss Enterprise Web Server 2	tomcat7	Not affected
Red Hat JBoss Enterprise Web Server 3	tomcat7	Not affected
Red Hat JBoss Enterprise Web Server 3	tomcat8	Not affected
Red Hat JBoss Operations Network 3	jbossweb	Not affected
Red Hat JBoss Portal 6	jbossweb	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-113

https://bugzilla.redhat.com/show_bug.cgi?id=1344321eap: HTTP header injection / response splitting

EPSS

Процентиль: 81%

0.01476

Низкий

5.4 Medium

CVSS3

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2016-4993

CVSS3: 6.1

ubuntu

больше 9 лет назад

CVE-2016-4993

CVSS3: 6.1

nvd

больше 9 лет назад

CVE-2016-4993

CVSS3: 6.1

debian

больше 9 лет назад

CRLF injection vulnerability in the Undertow web server in WildFly 10. ...

GHSA-qcqr-hcjq-whfq

CVSS3: 6.1

github

больше 3 лет назад

Improper Neutralization of CRLF Sequences in Wildfly Undertow

EPSS

Процентиль: 81%

0.01476

Низкий

5.4 Medium

CVSS3

5.8 Medium

CVSS2