Vulnerability Details : CVE-2016-4993
CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Products affected by CVE-2016-4993
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_wildfly_application_server:10.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4993
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-4993
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2016-4993
-
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Assigned by: nvd@nist.gov (Primary)
-
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4993
-
http://rhn.redhat.com/errata/RHSA-2016-1839.html
RHSA-2016:1839 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1344321
1344321 – (CVE-2016-4993) CVE-2016-4993 eap: HTTP header injection / response splittingIssue Tracking;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1841.html
Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1840.html
RHSA-2016:1840 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3458
RHSA-2017:3458 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-1838.html
RHSA-2016:1838 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/92894
RedHat JBoss Enterprise Application Platform CVE-2016-4993 HTTP Header Injection Vulnerability
-
https://access.redhat.com/errata/RHSA-2017:3456
RHSA-2017:3456 - Security Advisory - Red Hat Customer Portal
-
http://www.securitytracker.com/id/1036758
Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks - SecurityTrackerThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3455
RHSA-2017:3455 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2017:3454
RHSA-2017:3454 - Security Advisory - Red Hat Customer Portal
Jump to