6.1

CVE-2016-5325

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodejsNode.Js Version4.0.0
NodejsNode.Js Version4.1.0
NodejsNode.Js Version4.1.1
NodejsNode.Js Version4.1.2
NodejsNode.Js Version4.2.0
NodejsNode.Js Version4.2.1
NodejsNode.Js Version4.2.2
NodejsNode.Js Version4.2.3
NodejsNode.Js Version4.2.4
NodejsNode.Js Version4.2.5
NodejsNode.Js Version4.2.6
NodejsNode.Js Version4.3.0
NodejsNode.Js Version4.3.1
NodejsNode.Js Version4.3.2
NodejsNode.Js Version4.4.0
NodejsNode.Js Version4.4.1
NodejsNode.Js Version4.4.2
NodejsNode.Js Version4.4.3
NodejsNode.Js Version4.4.4
NodejsNode.Js Version4.4.5
NodejsNode.Js Version4.4.6
NodejsNode.Js Version4.4.7
NodejsNode.Js Version4.5.0
NodejsNode.Js Version0.10.0
NodejsNode.Js Version0.10.1
NodejsNode.Js Version0.10.2
NodejsNode.Js Version0.10.3
NodejsNode.Js Version0.10.4
NodejsNode.Js Version0.10.5
NodejsNode.Js Version0.10.6
NodejsNode.Js Version0.10.7
NodejsNode.Js Version0.10.8
NodejsNode.Js Version0.10.9
NodejsNode.Js Version0.10.10
NodejsNode.Js Version0.10.11
NodejsNode.Js Version0.10.12
NodejsNode.Js Version0.10.13
NodejsNode.Js Version0.10.14
NodejsNode.Js Version0.10.15
NodejsNode.Js Version0.10.16
NodejsNode.Js Version0.10.16-isaacs-manual
NodejsNode.Js Version0.10.17
NodejsNode.Js Version0.10.18
NodejsNode.Js Version0.10.19
NodejsNode.Js Version0.10.20
NodejsNode.Js Version0.10.21
NodejsNode.Js Version0.10.22
NodejsNode.Js Version0.10.23
NodejsNode.Js Version0.10.24
NodejsNode.Js Version0.10.25
NodejsNode.Js Version0.10.26
NodejsNode.Js Version0.10.27
NodejsNode.Js Version0.10.28
NodejsNode.Js Version0.10.29
NodejsNode.Js Version0.10.30
NodejsNode.Js Version0.10.31
NodejsNode.Js Version0.10.32
NodejsNode.Js Version0.10.33
NodejsNode.Js Version0.10.34
NodejsNode.Js Version0.10.35
NodejsNode.Js Version0.10.36
NodejsNode.Js Version0.10.37
NodejsNode.Js Version0.10.38
NodejsNode.Js Version0.10.39
NodejsNode.Js Version0.10.40
NodejsNode.Js Version0.10.41
NodejsNode.Js Version0.10.42
NodejsNode.Js Version0.10.43
NodejsNode.Js Version0.10.44
NodejsNode.Js Version0.10.45
NodejsNode.Js Version0.10.46
SuseLinux Enterprise Version12.0
NodejsNode.Js Version0.12.0
NodejsNode.Js Version0.12.1
NodejsNode.Js Version0.12.2
NodejsNode.Js Version0.12.3
NodejsNode.Js Version0.12.4
NodejsNode.Js Version0.12.5
NodejsNode.Js Version0.12.6
NodejsNode.Js Version0.12.7
NodejsNode.Js Version0.12.8
NodejsNode.Js Version0.12.9
NodejsNode.Js Version0.12.10
NodejsNode.Js Version0.12.11
NodejsNode.Js Version0.12.12
NodejsNode.Js Version0.12.13
NodejsNode.Js Version0.12.14
NodejsNode.Js Version0.12.15
NodejsNode.Js Version6.0.0
NodejsNode.Js Version6.1.0
NodejsNode.Js Version6.2.0
NodejsNode.Js Version6.2.1
NodejsNode.Js Version6.2.2
NodejsNode.Js Version6.3.0
NodejsNode.Js Version6.3.1
NodejsNode.Js Version6.4.0
NodejsNode.Js Version6.5.0
NodejsNode.Js Version6.6.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.33% 0.549
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.