CVE-2016-1155

CRITICAL

Android 2.2-6.0 - HTTP Header Injection via URLConnection

Title source: llm

Description

HTTP header injection vulnerability in the URLConnection class in Android OS 2.2 through 6.0 allows remote attackers to execute arbitrary scripts or set arbitrary values in cookies.

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/97662

Mitigation, Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvn

https://jvn.jp/vu/JVNVU99757346/index.html

Patch x_refsource_misc

https://android.googlesource.com/platform/external/okhttp/+/71b9f47b26fb57ac3e436a19519c6e3ec70e86eb

Scores

CVSS v3 9.8

EPSS 0.0180

EPSS Percentile 75.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (43)

google/android 2.2 (2 CPE variants)

google/android 2.2.1

google/android 2.2.2

google/android 2.2.3

google/android 2.3 (2 CPE variants)

google/android 2.3.1

google/android 2.3.2

google/android 2.3.3

google/android 2.3.4

google/android 2.3.5

... and 33 more

Published Apr 13, 2017

Tracked Since Feb 18, 2026