CVE-2016-4993

CWE-93 CWE-11314 documents7 sources

Severity

6.1MEDIUM

EPSS

1.5%

top 19.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform [unknown] Undertow Redhat Jboss Wildfly Application Server

Timeline

PublishedSep 26

Latest updateMay 17

Description

CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDredhat/jboss_enterprise_application_platform7.0.1

▶NVDredhat/jboss_wildfly_application_server10.0.0

▶Mavenorg.wildfly:wildfly-undertow10.0.0.Final — 11.0.0.Final

▶Debianundertow< 1.4.3-1

▶CVEListV5[unknown]/undertowundertow 7.1.2.CR1, undertow 7.1.2.GA+1

🔴Vulnerability Details

OSV

Improper Neutralization of CRLF Sequences in Wildfly Undertow↗2022-05-17

▶

GHSA

Improper Neutralization of CRLF Sequences in Wildfly Undertow↗2022-05-17

▶

GHSA

Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow↗2022-05-13

▶

CVEList

CVE-2016-4993: CRLF injection vulnerability in the Undertow web server in WildFly 10↗2016-09-26

▶

OSV

CVE-2016-4993: CRLF injection vulnerability in the Undertow web server in WildFly 10↗2016-09-26

▶

📋Vendor Advisories

Red Hat

undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)↗2018-04-25

▶

Red Hat

eap: HTTP header injection / response splitting↗2016-09-08

▶

Debian

CVE-2016-4993: undertow - CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as us...↗2016

▶

💬Community

Bugzilla

CVE-2018-1067 tomcat: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) [fedora-all]↗2018-06-19

▶

Bugzilla

CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) [fedora-all]↗2018-06-19

▶

Bugzilla

CVE-2018-1067 wildfly: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) [fedora-all]↗2018-06-19

▶

Bugzilla

CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)↗2018-03-01

▶

Bugzilla

CVE-2016-4993 eap: HTTP header injection / response splitting↗2016-06-09

▶