CVE-2008-0456

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Injection
Severity
UNKNOWN
AV:N/AC:H/Au:N/C:N/I:P/A:N
Atk. Vector
NETWORK
Atk. Complexity
HIGH
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
apachehttp_server
2.2.0 ≤
𝑥
< 2.2.12
redhatenterprise_linux_desktop
5.0
redhatenterprise_linux_server
5.0
redhatenterprise_linux_workstation
5.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache2
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
vulnerable
bookworm (security)
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache
intrepid
dne
hardy
dne
gutsy
dne
feisty
ignored
edgy
ignored
dapper
ignored
apache2
intrepid
not-affected
hardy
not-affected
gutsy
ignored
feisty
ignored
edgy
ignored
dapper
ignored
References