CVE-2008-0456

Apache HTTP Server 1.3.0-1.3.39, 2.0.0-2.0.61, 2.2.0-2.2.6 - HTTP Response Splitting via Multiline Filename Upload

Title source: llm
STIX 2.1

Description

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

References (26)

Core 26
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/486847/100/0/threaded
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200803-19.xml
Third Party Advisory x_refsource_confirm
http://support.apple.com/kb/HT3549
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1019256
Exploit, Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/3575
Not Applicable, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35074
Broken Link, Mailing List, Third Party Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/39893
Broken Link x_refsource_misc
http://www.mindedsecurity.com/MSA01150108.html
Not Applicable, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29348
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0130.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/27409
Permissions Required, Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1297

Scores

EPSS 0.1904
EPSS Percentile 97.0%

Details

CWE
CWE-74
Status published
Products (4)
apache/http_server 2.2.0 - 2.2.12
redhat/enterprise_linux_desktop 5.0
redhat/enterprise_linux_server 5.0
redhat/enterprise_linux_workstation 5.0
Published Jan 25, 2008
Tracked Since Feb 18, 2026