Vulnerability Description
HTTP header injection vulnerability in the URLConnection class in Android OS 2.2 through 6.0 allows remote attackers to execute arbitrary scripts or set arbitrary values in cookies.
CVSS Score
9.8
CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Android | 2.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97662Third Party AdvisoryVDB Entry
- https://android.googlesource.com/platform/external/okhttp/+/71b9f47b26fb57ac3e43
- https://jvn.jp/vu/JVNVU99757346/index.htmlMitigationThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/97662Third Party AdvisoryVDB Entry
- https://android.googlesource.com/platform/external/okhttp/+/71b9f47b26fb57ac3e43
- https://jvn.jp/vu/JVNVU99757346/index.htmlMitigationThird Party AdvisoryVDB Entry
FAQ
What is CVE-2016-1155?
CVE-2016-1155 is a vulnerability with a CVSS score of 9.8 (CRITICAL). HTTP header injection vulnerability in the URLConnection class in Android OS 2.2 through 6.0 allows remote attackers to execute arbitrary scripts or set arbitrary values in cookies.
How severe is CVE-2016-1155?
CVE-2016-1155 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-1155?
Check the references section above for vendor advisories and patch information. Affected products include: Google Android.