← voltar
CVE-2016-2216

CVE-2016-2216

EPSS 7.0%
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
Produtos afetados
n/a · n/a

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis/http://info.safebreach.com/hubfs/Node-js-Response-Splitting.pdfhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.htmlhttp://packetstormsecurity.com/files/135711/Node.js-HTTP-Response-Splitting.htmlhttps://nodejs.org/en/blog/vulnerability/february-2016-security-releases/https://security.gentoo.org/glsa/201612-43http://www.securityfocus.com/bid/83141