CVE-2008-0456
Description
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) 406 Not Acceptable or (2) 300 Multiple Choices HTTP response when the extension is omitted in a request for the file.
Risk Information
Base Score
6.4
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
7.199
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update Apache to version 2.2.10 | Windows |
| Multiple vulnerabilities are fixed in Apache 2.2.12 | Windows |
| Update Apache to version 2.2.10 (For Linux) | Linux |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) Vulnerability (CVE-2008-0456) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234