Search for vulnerabilities
Vulnerability details: VCID-9khq-s81v-aaaf
Vulnerability ID VCID-9khq-s81v-aaaf
Aliases CVE-2008-0456
Summary CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
System Score Found at
rhas Low https://access.redhat.com/errata/RHSA-2013:0130
epss 0.00474 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00583 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00768 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00768 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.00768 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.09614 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.09614 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.09614 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.09614 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.09614 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.21689 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.22621 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
epss 0.26921 https://api.first.org/data/v1/epss?cve=CVE-2008-0456
rhbs low https://bugzilla.redhat.com/show_bug.cgi?id=879292
apache_httpd low https://httpd.apache.org/security/json/CVE-2008-0456.json
cvssv2 2.6 https://nvd.nist.gov/vuln/detail/CVE-2008-0456
Reference id Reference type URL
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
http://rhn.redhat.com/errata/RHSA-2013-0130.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-0456.json
https://api.first.org/data/v1/epss?cve=CVE-2008-0456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0456
http://secunia.com/advisories/29348
http://secunia.com/advisories/35074
http://security.gentoo.org/glsa/glsa-200803-19.xml
http://securityreason.com/securityalert/3575
http://securitytracker.com/id?1019256
https://exchange.xforce.ibmcloud.com/vulnerabilities/39893
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
http://support.apple.com/kb/HT3549
http://www.mindedsecurity.com/MSA01150108.html
http://www.securityfocus.com/archive/1/486847/100/0/threaded
http://www.securityfocus.com/bid/27409
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
http://www.vupen.com/english/advisories/2009/1297
879292 https://bugzilla.redhat.com/show_bug.cgi?id=879292
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
CVE-2008-0456 https://httpd.apache.org/security/json/CVE-2008-0456.json
CVE-2008-0456 https://nvd.nist.gov/vuln/detail/CVE-2008-0456
GLSA-200803-19 https://security.gentoo.org/glsa/200803-19
RHSA-2013:0130 https://access.redhat.com/errata/RHSA-2013:0130
No exploits are available.
Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2008-0456
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.75637
EPSS Score 0.00474
Published At Jan. 16, 2025, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.