Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-3906 — Improper Input Validation in Project Mono

CWE-20 — Improper Input Validation9 documents9 sources

Severity

4.3MEDIUMNVD

EPSS

8.1%

top 7.83%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mono Mono Project Mono

Timeline

PublishedSep 4

Latest updateMay 2

Description

CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Debianmono/mono< 1.9.1+dfsg-4+3

▶NVDmono_project/mono2.0+7

▶NVDmono/mono12 versions+11

🔴Vulnerability Details

GHSA

GHSA-fwxc-72gp-54jq: CRLF injection vulnerability in Sys↗2022-05-02

▶

CVEList

CVE-2008-3906: CRLF injection vulnerability in Sys↗2008-09-04

▶

OSV

CVE-2008-3906: CRLF injection vulnerability in Sys↗2008-09-04

▶

💥Exploits & PoCs

Exploit-DB

Mono 2.0 - 'System.Web' HTTP Header Injection↗2008-08-20

▶

📋Vendor Advisories

Ubuntu

Mono vulnerabilities↗2009-08-26

▶

Debian

CVE-2008-3906: mono - CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote at...↗2008

▶

Red Hat

mono: Sys.Web HTTP header injection attack↗

▶

💬Community

Bugzilla

CVE-2008-3906 mono: Sys.Web HTTP header injection attack↗2008-09-10

▶