CVE-2008-3906
published 2008-09-04CVE-2008-3906: CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting…
PriorityP428medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
7.10%
93.4th percentile
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mono | < mono 1.9.1+dfsg-4 (bookworm) | mono 1.9.1+dfsg-4 (bookworm) |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | — | — |
| mono | mono | >= 0 < 1.9.1+dfsg-4 | 1.9.1+dfsg-4 |
| mono | mono | >= 0 < 1.9.1+dfsg-4 | 1.9.1+dfsg-4 |
| mono | mono | >= 0 < 1.9.1+dfsg-4 | 1.9.1+dfsg-4 |
| mono | mono | >= 0 < 1.9.1+dfsg-4 | 1.9.1+dfsg-4 |
| mono_project | mono | <= 2.0 | — |
| mono_project | mono | — | — |
| mono_project | mono | — | — |
| mono_project | mono | — | — |
| mono_project | mono | — | — |
| mono_project | mono | — | — |
| mono_project | mono | — | — |
| mono_project | mono | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Mono vulnerabilities
vendor_ubuntu·2009-08-26·CVSS 4.3
CVE-2009-0217 [MEDIUM] Mono vulnerabilities
Title: Mono vulnerabilities
Summary: Mono vulnerabilities
It was discovered that the XML HMAC signature system did not correctly
check certain lengths. If an attacker sent a truncated HMAC, it could
bypass authentication, leading to potential privilege escalation.
(CVE-2009-0217)
It was discovered that Mono did not properly escape certain attributes in
the ASP.net class libraries which could result in browsers becoming
vulnerable to cross-site scripting attacks when processing the output. With
cross-site scripting vulnerabilities, if a user were tricked into viewing
server output during a crafted server request, a remote attacker could
exploit this to modify the contents, or steal confidential data (such as
passwords), within the same domain. This issue only affected Ubuntu 8.04
LTS. (C
Debian
CVE-2008-3906: mono - CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote at...
vendor_debian·2008·CVSS 4.3
CVE-2008-3906 [MEDIUM] CVE-2008-3906: mono - CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote at...
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.
Scope: local
bookworm: resolved (fixed in 1.9.1+dfsg-4)
bullseye: resolved (fixed in 1.9.1+dfsg-4)
forky: resolved (fixed in 1.9.1+dfsg-4)
sid: resolved (fixed in 1.9.1+dfsg-4)
trixie: resolved (fixed in 1.9.1+dfsg-4)
Red Hat
mono: Sys.Web HTTP header injection attack
vendor_redhat·CVSS 4.3
CVE-2008-3906 [MEDIUM] mono: Sys.Web HTTP header injection attack
mono: Sys.Web HTTP header injection attack
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.
GHSA
GHSA-fwxc-72gp-54jq: CRLF injection vulnerability in Sys
ghsa_unreviewed·2022-05-02
CVE-2008-3906 [MEDIUM] CWE-20 GHSA-fwxc-72gp-54jq: CRLF injection vulnerability in Sys
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.
OSV
CVE-2008-3906: CRLF injection vulnerability in Sys
osv·2008-09-04·CVSS 4.3
CVE-2008-3906 [MEDIUM] CVE-2008-3906: CRLF injection vulnerability in Sys
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.
No detection rules found.
http://secunia.com/advisories/31643http://secunia.com/advisories/36494http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0286http://www.mandriva.com/security/advisories?name=MDVSA-2008:210http://www.openwall.com/lists/oss-security/2008/08/27/6http://www.securityfocus.com/archive/1/496845/100/0/threadedhttp://www.securityfocus.com/bid/30867http://www.vupen.com/english/advisories/2008/2443https://bugzilla.novell.com/show_bug.cgi?id=418620https://exchange.xforce.ibmcloud.com/vulnerabilities/44740https://usn.ubuntu.com/826-1/http://secunia.com/advisories/31643http://secunia.com/advisories/36494http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0286http://www.mandriva.com/security/advisories?name=MDVSA-2008:210http://www.openwall.com/lists/oss-security/2008/08/27/6http://www.securityfocus.com/archive/1/496845/100/0/threadedhttp://www.securityfocus.com/bid/30867http://www.vupen.com/english/advisories/2008/2443https://bugzilla.novell.com/show_bug.cgi?id=418620https://exchange.xforce.ibmcloud.com/vulnerabilities/44740https://usn.ubuntu.com/826-1/
2008-09-04
Published