Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2016-4975
Summary
Possible CRLF injection allowing HTTP response splitting attacks for sites that use 'mod_userdir'. This issue was mitigated by prohibiting CR or LF injection into the "Location" or other outbound header key or value. The issue affects versions 2.4.1 through 2.4.23 and 2.2.0 through 2.2.31.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Advisory Timeline
- Published