CWE:
 

Topic
Date
Author
Low
SmarterStats 11.3.6347 Cross Site Scripting
02.10.2017
David Hoyt
High
Dropbear SSHD xauth Command Injection / Bypass
17.03.2016
dropbear
High
OpenSSH 7.2p1 xauth Command Injection / Bypass
16.03.2016
tintinweb
Low
NetCat CMS Multiple HTTP Response Splitting (CRLF) Security Vulnerabilities
08.03.2015
Wang Jing


CVEMAP Search Results

CVE
Details
Description
2019-03-31
Medium
CVE-2019-10678

Vendor: Domoticz
Software: Domoticz
 

 
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.

 
2019-03-23
Low
CVE-2019-9947

Vendor: Python
Software: Python
 

 
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) followed by an HTTP header or a Redis command. This is similar to CVE-2019-9740.

 
2019-03-13
Low
CVE-2019-9741

Vendor: Golang
Software: GO
 

 
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

 
2019-03-12
Low
CVE-2019-9740

Vendor: Python
Software: Python
 

 
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command.

 
2019-02-03
Medium
CVE-2019-7313

Updating...
 

 
www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.

 
2019-01-24
Low
CVE-2019-6802

Vendor: Python
Software: Pypiserver
 

 
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.

 
2018-10-09
Medium
CVE-2018-12477

Vendor: Opensuse
Software: Opensuse leap
 

 
A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce.

 
2018-08-22
Low
CVE-2017-7528

Vendor: Redhat
Software: Ansible tower
 

 
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).

 
2018-08-14
Low
CVE-2016-4975

Vendor: Apache
Software: Http server
 

 
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).

 
2018-04-18
Medium
CVE-2018-1000164

Vendor: Gunicorn
Software: Gunicorn
 

 
gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.

 

 


Copyright 2019, cxsecurity.com

 

Back to Top