Skip to main content

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVE-2016-4975

Severity Medium
Score 6.1/10

Summary

Possible CRLF injection allowing HTTP response splitting attacks for sites that use 'mod_userdir'. This issue was mitigated by prohibiting CR or LF injection into the "Location" or other outbound header key or value. The issue affects versions 2.4.1 through 2.4.23 and 2.2.0 through 2.2.31.

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • NONE
  • LOW
  • NONE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Advisory Timeline

  • Published