CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Parent: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

97 vulnerabilities with CWE-113
CVE-2023-42450 MEDIUM
Mastodon 4.2.0-beta1 to 4.2.0-rc1 - HTTP Request Injection
CVSS 5.4
CVE-2023-41834 MEDIUM
Apache Flink Stateful Functions 3.1.0-3.2.0 - HTTP Response Splitting via CRLF Injection
CVSS 6.1
CVE-2023-26142 MEDIUM
Crow - HTTP Response Splitting via Header CRLF Injection
CVSS 6.5
CVE-2023-26137 HIGH
drogon - HTTP Response Splitting via addHeader and addCookie Functions
CVSS 7.2
CVE-2023-34472 MEDIUM
AMI MegaRAC SPx BMC - HTTP Header Injection via CRLF Sequences
CVSS 5.7
CVE-2023-0508 LOW
GitLab 15.4.0-15.10.7, 15.11.0-15.11.6, 16.0.0-16.0.1 - HTTP Response Splitting via NPM Package API
CVSS 3.1
CVE-2023-32708 HIGH
Splunk Enterprise < 9.0.5, < 8.2.11, < 8.1.14 and Splunk Cloud Platform < 9.0.2303.100 - HTTP Response Splitting
CVSS 7.2
CVE-2022-42472 MEDIUM
FortiOS/FortiProxy HTTP Request Splitting (Auth Required)
CVSS 4.2
CVE-2022-37436 MEDIUM
Apache HTTP Server < 2.4.55 - HTTP Response Header Injection via CRLF Sequence
CVSS 5.3
CVE-2022-42471 MEDIUM
FortiWeb 6.3.6-6.3.20, 6.4.0-6.4.2, 7.0.0-7.0.2 - Authenticated HTTP Response Splitting
CVSS 5.4
CVE-2022-41915 MEDIUM
Netty 4.1.83-4.1.85 - HTTP Response Splitting via DefaultHttpHeaders.set Iterator
CVSS 6.5
CVE-2022-20772 MEDIUM
Cisco ESA/Secure Email and Web Manager - HTTP Response Splitting
CVSS 4.7
CVE-2022-3215 HIGH
SwiftNIO < 2.29.1 and 2.41.0-2.42.0 - HTTP Response Injection via CRLF in HTTP Headers
CVSS 7.5
CVE-2022-37953 MEDIUM
WorkstationST < 07.09.15 - HTTP Response Splitting via AM Gateway Challenge-Response Dialog
CVSS 4.7
CVE-2021-40336 MEDIUM
Hitachi Energy MSM <=2.2 - HTTP Response Splitting via Header Validation Failure
CVSS 5.0
CVE-2021-0268 HIGH
Juniper Networks Junos OS - Buffer Overflow
CVSS 8.8
CVE-2020-3117 MEDIUM
Cisco AsyncOS/Cisco Web Security Appliance/SMA - Info Disclosure
CVSS 4.7
CVE-2020-10753 MEDIUM
Red Hat Ceph Storage RadosGW - HTTP Header Injection
CVSS 5.4
CVE-2020-5249 MEDIUM
Puma < 3.12.3 and 3.12.4 - HTTP Response Splitting via Early-Hints Header Injection
CVSS 6.5
CVE-2020-5247 MEDIUM
Puma < 3.12.3 - HTTP Response Splitting via Header Injection
CVSS 6.5
CVE-2020-5216 MEDIUM
Secure Headers < 3.9.0, 5.2.0-6.3.0 - Directive Injection via Newline in Content-Security-Policy
CVSS 4.4
CVE-2019-25101 MEDIUM
OnShift TurboGears 1.0.11.10 - HTTP Response Splitting
CVSS 6.3
CVE-2019-16771 MEDIUM
Armeria 0.85.0-0.96.0 - HTTP Response Splitting via CRLF Injection
CVSS 4.8
CVE-2019-15259 MEDIUM
Cisco Unified Contact Center Express < 11.6(2) - Unauthenticated HTTP Response Splitting via Parameter Injection
CVSS 6.1
CVE-2018-18837 MEDIUM
Netdata 1.10.0 - HTTP Header Injection
CVSS 6.1
Details
Vulnerabilities 97
Links
MITRE CWE Entry Search this CWE With Exploits