Vulnerability Description
CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dena | H2O | <= 1.6.1 |
References
- http://jvn.jp/en/jp/JVN45928828/index.htmlVendor Advisory
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000003Vendor Advisory
- https://github.com/h2o/h2o/issues/682
- https://github.com/h2o/h2o/issues/684
- https://h2o.examp1e.net/vulnerabilities.html#CVE-2016-1133
- http://jvn.jp/en/jp/JVN45928828/index.htmlVendor Advisory
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000003Vendor Advisory
- https://github.com/h2o/h2o/issues/682
- https://github.com/h2o/h2o/issues/684
- https://h2o.examp1e.net/vulnerabilities.html#CVE-2016-1133
FAQ
What is CVE-2016-1133?
CVE-2016-1133 is a vulnerability with a CVSS score of 3.7 (LOW). CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP...
How severe is CVE-2016-1133?
CVE-2016-1133 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-1133?
Check the references section above for vendor advisories and patch information. Affected products include: Dena H2O.