CVE-2016-1899

CRLF injection vulnerability in the ui-blob handler in CGit before 0.12 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via CRLF sequences in the mimetype parameter, as demonstrated by a request to blob/cgit.c.
Severity
LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Atk. Vector
NETWORK
Atk. Complexity
HIGH
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
cgit_projectcgit
𝑥
≤ 0.11.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cgit
bullseye
1.2.3+git2.25.1-1
fixed
bookworm
1.2.3+git20221219.50.91f2590+git2.39.1-1
fixed
sid
1.2.3+git20240802.70.09d24d7+git2.46.0-1
fixed
trixie
1.2.3+git20240802.70.09d24d7+git2.46.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cgit
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
vivid
ignored
trusty
dne
precise
dne