CVE-2008-0456 — Injection in Apache Http Server

CWE-74 — Injection CWE-94 — Code Injection7 documents7 sources

Severity

2.6LOWNVD

EPSS

7.6%

top 8.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Redhat Enterprise Linux Desktop Redhat Enterprise Linux Server +1 more

Timeline

PublishedJan 25

Latest updateMay 1

Description

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choi…

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages4 packages

▶NVDapache/http_server2.2.0 — 2.2.12

▶NVDredhat/enterprise_linux_server5.0

▶NVDredhat/enterprise_linux_desktop5.0

▶NVDredhat/enterprise_linux_workstation5.0

🔴Vulnerability Details

GHSA

GHSA-fw9r-jq2r-wx56: CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2↗2022-05-01

▶

CVEList

CVE-2008-0456: CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2↗2008-01-25

▶

OSV

CVE-2008-0456: CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2↗2008-01-25

▶

📋Vendor Advisories

Red Hat

httpd: mod_negotiation CRLF injection via untrusted file names in directories with MultiViews enabled↗2008-01-22

▶

Debian

CVE-2008-0456: apache2 - CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Se...↗2008

▶

💬Community

Bugzilla

CVE-2008-0456 httpd: mod_negotiation CRLF injection via untrusted file names in directories with MultiViews enabled↗2012-11-22

▶