2.6

CVE-2008-0456

Exploit

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

Data is provided by the National Vulnerability Database (NVD)
ApacheHTTP Server Version >= 2.2.0 < 2.2.12
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 7.58% 0.915
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 2.6 4.9 2.9
AV:N/AC:H/Au:N/C:N/I:P/A:N
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

http://secunia.com/advisories/35074
Third Party Advisory
Not Applicable
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
Third Party Advisory
US Government Resource
http://www.vupen.com/english/advisories/2009/1297
Third Party Advisory
Permissions Required
http://secunia.com/advisories/29348
Third Party Advisory
Not Applicable
http://securityreason.com/securityalert/3575
Third Party Advisory
Exploit
http://securitytracker.com/id?1019256
Third Party Advisory
Broken Link
VDB Entry
http://www.securityfocus.com/bid/27409
Third Party Advisory
VDB Entry