CVE-2016-5325
Published: 10 October 2016
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nodejs Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(8.10.0~dfsg-2)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Released
(0.10.25~dfsg2-2ubuntu1.2)
|
|
| upstream |
Released
(4.6.0~dfsg-1)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Released
(4.2.6~dfsg-1ubuntu4.2)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |