7.5

CVE-2016-2216

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.

Data is provided by the National Vulnerability Database (NVD)
NodejsNode.Js Version0.10.0
NodejsNode.Js Version0.10.1
NodejsNode.Js Version0.10.2
NodejsNode.Js Version0.10.3
NodejsNode.Js Version0.10.4
NodejsNode.Js Version0.10.5
NodejsNode.Js Version0.10.6
NodejsNode.Js Version0.10.7
NodejsNode.Js Version0.10.8
NodejsNode.Js Version0.10.9
NodejsNode.Js Version0.10.10
NodejsNode.Js Version0.10.11
NodejsNode.Js Version0.10.12
NodejsNode.Js Version0.10.13
NodejsNode.Js Version0.10.14
NodejsNode.Js Version0.10.15
NodejsNode.Js Version0.10.16
NodejsNode.Js Version0.10.16-isaacs-manual
NodejsNode.Js Version0.10.17
NodejsNode.Js Version0.10.18
NodejsNode.Js Version0.10.19
NodejsNode.Js Version0.10.20
NodejsNode.Js Version0.10.21
NodejsNode.Js Version0.10.22
NodejsNode.Js Version0.10.23
NodejsNode.Js Version0.10.24
NodejsNode.Js Version0.10.25
NodejsNode.Js Version0.10.26
NodejsNode.Js Version0.10.27
NodejsNode.Js Version0.10.28
NodejsNode.Js Version0.10.29
NodejsNode.Js Version0.10.30
NodejsNode.Js Version0.10.31
NodejsNode.Js Version0.10.32
NodejsNode.Js Version0.10.33
NodejsNode.Js Version0.10.34
NodejsNode.Js Version0.10.35
NodejsNode.Js Version0.10.36
NodejsNode.Js Version0.10.37
NodejsNode.Js Version0.10.38
NodejsNode.Js Version0.10.39
NodejsNode.Js Version0.10.40
NodejsNode.Js Version0.10.41
NodejsNode.Js Version0.11.6
NodejsNode.Js Version0.11.7
NodejsNode.Js Version0.11.8
NodejsNode.Js Version0.11.9
NodejsNode.Js Version0.11.10
NodejsNode.Js Version0.11.11
NodejsNode.Js Version0.11.12
NodejsNode.Js Version0.11.13
NodejsNode.Js Version0.11.14
NodejsNode.Js Version0.11.15
NodejsNode.Js Version0.11.16
NodejsNode.Js Version0.12.0
NodejsNode.Js Version0.12.1
NodejsNode.Js Version0.12.2
NodejsNode.Js Version0.12.3
NodejsNode.Js Version0.12.4
NodejsNode.Js Version0.12.5
NodejsNode.Js Version0.12.6
NodejsNode.Js Version0.12.7
NodejsNode.Js Version0.12.8
NodejsNode.Js Version0.12.9
NodejsNode.Js Version4.0.0
NodejsNode.Js Version4.1.0
NodejsNode.Js Version4.1.1
NodejsNode.Js Version4.1.2
NodejsNode.Js Version4.2.0
NodejsNode.Js Version4.2.1
NodejsNode.Js Version4.2.2
NodejsNode.Js Version4.2.3
NodejsNode.Js Version4.2.4
NodejsNode.Js Version4.2.5
NodejsNode.Js Version4.2.6
NodejsNode.Js Version5.0.0
NodejsNode.Js Version5.1.0
NodejsNode.Js Version5.1.1
NodejsNode.Js Version5.2.0
NodejsNode.Js Version5.3.0
NodejsNode.Js Version5.4.0
NodejsNode.Js Version5.4.1
NodejsNode.Js Version5.5.0
FedoraprojectFedora Version22
FedoraprojectFedora Version23
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.11% 0.835
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.