CVE-2016-5331

EPSS 0.33%
Veröffentlicht 08.08.2016 01:59:17
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

VMware ≫ Vcenter Server Updateupdate_1b Version <= 6.0

VMware ≫ ESXi Version6.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.555

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

http://www.securitytracker.com/id/1036544

http://www.securitytracker.com/id/1036545

http://www.vmware.com/security/advisories/VMSA-2016-0010.html

Patch

Vendor Advisory

Mitigation

http://packetstormsecurity.com/files/138211/VMware-vSphere-Hypervisor-ESXi-HTTP-Response-Injection.html

http://seclists.org/fulldisclosure/2016/Aug/38

http://www.securityfocus.com/archive/1/539128/100/0/threaded

http://www.securityfocus.com/bid/92324

http://www.securitytracker.com/id/1036543

https://nvd.nist.gov/vuln/detail/CVE-2016-5331

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-5331

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-5331

EUVD