VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-vfbs-rr54-e7bu

Essentials
Severities (20)
References (16)
Severity details (3)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-vfbs-rr54-e7bu
Aliases	CVE-2016-8743
Summary	Apache HTTP Server, prior to release 2.4.25 (and 2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member "the_request", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines. RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this specification. Section 3.1.1 requires exactly one single SP between the method and request-target, and between the request-target and HTTP-version, followed immediately by a CRLF sequence. None of these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request header field prior to the ':' character, while Section 3.2 disallows all CTL characters in the request header line other than the HTAB character as whitespace. These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent. These defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. By toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce the possibility of the problems described in this assessment. Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will allow other RFC requirements to not be enforced, such as exactly two SP characters in the request line.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-20

Improper Input Validation

System	Score	Found at
cvssv3	4.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8743.json
epss	0.02311	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.02311	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.02311	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
epss	0.06784	https://api.first.org/data/v1/epss?cve=CVE-2016-8743
cvssv2	5.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
apache_httpd	important	https://httpd.apache.org/security/json/CVE-2016-8743.json

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8743.json
		https://api.first.org/data/v1/epss?cve=CVE-2016-8743
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1406822		https://bugzilla.redhat.com/show_bug.cgi?id=1406822
CVE-2016-8743		https://httpd.apache.org/security/json/CVE-2016-8743.json
RHSA-2017:0906		https://access.redhat.com/errata/RHSA-2017:0906
RHSA-2017:1161		https://access.redhat.com/errata/RHSA-2017:1161
RHSA-2017:1413		https://access.redhat.com/errata/RHSA-2017:1413
RHSA-2017:1414		https://access.redhat.com/errata/RHSA-2017:1414
RHSA-2017:1415		https://access.redhat.com/errata/RHSA-2017:1415
RHSA-2017:1721		https://access.redhat.com/errata/RHSA-2017:1721
USN-3279-1		https://usn.ubuntu.com/3279-1/
USN-3373-1		https://usn.ubuntu.com/3373-1/

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8743.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Exploit Prediction Scoring System (EPSS)

Percentile	0.8421
EPSS Score	0.02311
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:29:02.076754+00:00	Apache HTTPD Importer	Import	https://httpd.apache.org/security/json/CVE-2016-8743.json	37.0.0