CVE-2016-3166

CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

CVSS v3.0 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2016/02/24/19
http://www.debian.org/security/2016/dsa-3498
https://www.drupal.org/SA-CORE-2016-001	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/03/15/10

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:7.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:drupal:drupal:6.31:::::::*
	cpe:2.3:a:drupal:drupal:6.30:::::::*
	cpe:2.3:a:drupal:drupal:6.3:::::::*
	cpe:2.3:a:drupal:drupal:6.29:::::::*
	cpe:2.3:a:drupal:drupal:6.28:::::::*
	cpe:2.3:a:drupal:drupal:6.16:::::::*
	cpe:2.3:a:drupal:drupal:6.15:::::::*
	cpe:2.3:a:drupal:drupal:6.14:::::::*
	cpe:2.3:a:drupal:drupal:6.13:::::::*
	cpe:2.3:a:drupal:drupal:6.0:::::::*
	cpe:2.3:a:drupal:drupal:6.6:::::::*
	cpe:2.3:a:drupal:drupal:6.33:::::::*
	cpe:2.3:a:drupal:drupal:6.0:rc2::::::
	cpe:2.3:a:drupal:drupal:6.0:dev::::::
	cpe:2.3:a:drupal:drupal:6.25:::::::*
	cpe:2.3:a:drupal:drupal:6.12:::::::*
	cpe:2.3:a:drupal:drupal:6.0:rc3::::::
	cpe:2.3:a:drupal:drupal:6.0:rc4::::::
	cpe:2.3:a:drupal:drupal:6.4:::::::*
	cpe:2.3:a:drupal:drupal:6.36:::::::*
	cpe:2.3:a:drupal:drupal:6.35:::::::*
	cpe:2.3:a:drupal:drupal:6.7:::::::*
	cpe:2.3:a:drupal:drupal:6.22:::::::*
	cpe:2.3:a:drupal:drupal:6.27:::::::*
	cpe:2.3:a:drupal:drupal:6.19:::::::*
	cpe:2.3:a:drupal:drupal:6.21:::::::*
	cpe:2.3:a:drupal:drupal:6.17:::::::*
	cpe:2.3:a:drupal:drupal:6.5:::::::*
	cpe:2.3:a:drupal:drupal:6.10:::::::*
	cpe:2.3:a:drupal:drupal:6.23:::::::*
	cpe:2.3:a:drupal:drupal:6.0:rc1::::::
	cpe:2.3:a:drupal:drupal:6.20:::::::*
	cpe:2.3:a:drupal:drupal:6.9:::::::*
	cpe:2.3:a:drupal:drupal:6.0:beta2::::::
	cpe:2.3:a:drupal:drupal:6.2:::::::*
	cpe:2.3:a:drupal:drupal:6.24:::::::*
	cpe:2.3:a:drupal:drupal:6.18:::::::*
	cpe:2.3:a:drupal:drupal:6.0:beta4::::::
	cpe:2.3:a:drupal:drupal:6.32:::::::*
	cpe:2.3:a:drupal:drupal:6.11:::::::*
	cpe:2.3:a:drupal:drupal:6.0:beta1::::::
	cpe:2.3:a:drupal:drupal:6.26:::::::*
	cpe:2.3:a:drupal:drupal:6.8:::::::*
	cpe:2.3:a:drupal:drupal:6.1:::::::*
	cpe:2.3:a:drupal:drupal:6.0:beta3::::::
	cpe:2.3:a:drupal:drupal:6.34:::::::*
	cpe:2.3:a:drupal:drupal:6.37:::::::*

Information

Published : 2016-04-12 08:59

Updated : 2016-04-12 17:44

NVD link : CVE-2016-3166

Mitre link : CVE-2016-3166

JSON object : View

CWE

NVD-CWE-Other

Products Affected

debian

debian_linux

drupal

drupal

5.9 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-3166

5.9^/10

4.3^/10

Attach tags to `CVE-2016-3166`