| ID |
CVE-2016-1899
|
| Summary |
CRLF injection vulnerability in the ui-blob handler in CGit before 0.12 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via CRLF sequences in the mimetype parameter, as demonstrated by a request to blob/cgit.c. <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a> |
| References |
|
| Vulnerable Configurations |
|
| CVSS |
| Base: | 4.3 (as of 07-12-2016 - 18:33) |
| Impact: | |
| Exploitability: | |
|
| CWE |
NVD-CWE-Other |
| CAPEC |
|
| Access |
| Vector | Complexity | Authentication |
| NETWORK |
MEDIUM |
NONE |
|
| Impact |
| Confidentiality | Integrity | Availability |
| NONE |
PARTIAL |
NONE |
|
| cvss-vector
via4
|
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
| refmap
via4
|
| confirm | http://git.zx2c4.com/cgit/commit/?id=1c581a072651524f3b0d91f33e22a42c4166dd96 | | debian | DSA-3545 | | fedora | - FEDORA-2016-215b507409
- FEDORA-2016-e5a5fb196f
| | mlist | - [CGit] 20160113 XSS in cgit
- [CGit] 20160114 [ANNOUNCE] CGIT v0.12 Released
- [oss-security] 20160114 CVE Request: CGit - Multiple vulnerabilities
- [oss-security] 20160114 Re: CVE Request: CGit - Multiple vulnerabilities
| | suse | - openSUSE-SU-2016:0196
- openSUSE-SU-2016:0218
|
|
| Last major update |
07-12-2016 - 18:33 |
| Published |
20-01-2016 - 16:59 |
| Last modified |
07-12-2016 - 18:33 |
