Unrated severityNVD Advisory· Published Aug 14, 2018· Updated Sep 16, 2024

mod_userdir CRLF injection

CVE-2016-4975

Description

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).

Affected products

osv-coords10 versions
pkg:rpm/suse/apache2&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3 pkg:rpm/suse/apache2&distro=SUSE%20OpenStack%20Cloud%207
< 2.4.23-29.24.1+ 9 more
- (no CPE)range: < 2.4.23-29.24.1
- (no CPE)range: < 2.4.16-20.19.1
- (no CPE)range: < 2.4.23-29.24.1
- (no CPE)range: < 2.4.23-29.24.1
- (no CPE)range: < 2.4.23-29.24.1
- (no CPE)range: < 2.4.16-20.19.1
- (no CPE)range: < 2.4.23-29.24.1
- (no CPE)range: < 2.4.23-29.24.1
- (no CPE)range: < 2.4.23-29.24.1
- (no CPE)range: < 2.4.23-29.24.1
Apache Software Foundation/Apache HTTP Serverv5
Range: Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/105093mitrevdb-entryx_refsource_BID
httpd.apache.org/security/vulnerabilities_22.htmlmitrex_refsource_CONFIRM
httpd.apache.org/security/vulnerabilities_24.htmlmitrex_refsource_CONFIRM
lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3Emitremailing-listx_refsource_MLIST
security.netapp.com/advisory/ntap-20180926-0006/mitrex_refsource_CONFIRM
support.hpe.com/hpsc/doc/public/displaymitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.059
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000