ID CVE-2016-5325
Summary CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
References
Vulnerable Configurations
  • cpe:2.3:a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:4.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:4.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.5:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.5:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.6:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.6:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.8:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.8:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.9:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.9:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.10:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.10:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.11:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.11:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.12:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.12:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.13:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.13:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.14:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.14:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.15:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.15:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.16:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.16:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.17:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.17:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.19:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.19:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.20:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.20:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.21:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.21:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.22:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.22:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.23:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.23:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.24:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.24:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.25:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.25:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.26:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.26:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.27:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.27:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.28:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.28:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.29:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.29:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.30:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.30:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.31:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.31:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.32:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.32:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.33:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.33:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.34:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.34:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.35:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.35:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.36:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.36:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.37:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.37:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.38:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.38:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.39:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.39:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.40:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.40:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.41:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.41:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.42:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.42:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.43:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.43:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.44:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.44:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.45:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.45:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.10.46:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.10.46:*:*:*:*:*:*:*
  • cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*
    cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.3:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.3:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.4:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.4:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.5:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.5:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.6:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.6:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.7:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.7:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.8:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.8:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.9:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.9:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.10:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.10:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.11:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.11:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.12:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.12:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.13:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.13:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.14:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.14:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:0.12.15:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:0.12.15:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:nodejs:node.js:6.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:nodejs:node.js:6.6.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 05-01-2018 - 02:31)
Impact:
Exploitability:
CWE CWE-113
CAPEC
  • HTTP Response Splitting
    This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents be displayed and possibly cached.
  • Accessing/Intercepting/Modifying HTTP Cookies
    This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
  • AJAX Fingerprinting
    This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application. A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2016:2101
  • rhsa
    id RHSA-2017:0002
rpms
  • nodejs-0:0.10.47-2.el7
  • nodejs-debuginfo-0:0.10.47-2.el7
  • nodejs-devel-0:0.10.47-2.el7
  • nodejs-docs-0:0.10.47-2.el7
  • nodejs-tough-cookie-0:2.3.1-1.el7
  • rh-nodejs4-http-parser-0:2.7.0-2.el6
  • rh-nodejs4-http-parser-0:2.7.0-2.el7
  • rh-nodejs4-http-parser-debuginfo-0:2.7.0-2.el6
  • rh-nodejs4-http-parser-debuginfo-0:2.7.0-2.el7
  • rh-nodejs4-http-parser-devel-0:2.7.0-2.el6
  • rh-nodejs4-http-parser-devel-0:2.7.0-2.el7
  • rh-nodejs4-nodejs-0:4.6.2-4.el6
  • rh-nodejs4-nodejs-0:4.6.2-4.el7
  • rh-nodejs4-nodejs-debuginfo-0:4.6.2-4.el6
  • rh-nodejs4-nodejs-debuginfo-0:4.6.2-4.el7
  • rh-nodejs4-nodejs-devel-0:4.6.2-4.el6
  • rh-nodejs4-nodejs-devel-0:4.6.2-4.el7
  • rh-nodejs4-nodejs-docs-0:4.6.2-4.el6
  • rh-nodejs4-nodejs-docs-0:4.6.2-4.el7
refmap via4
bid 93483
confirm
gentoo GLSA-201612-43
suse SUSE-SU-2016:2470
Last major update 05-01-2018 - 02:31
Published 10-10-2016 - 16:59
Last modified 05-01-2018 - 02:31
Back to Top