CVE-2016-4993 — Improper Neutralization of CRLF Sequences in Wildfly Undertow

Description

CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

How to fix CVE-2016-4993

To remediate CVE-2016-4993, upgrade the affected package to a fixed version below.

—upgrade to 1.4.3-1 or later
—upgrade to 11.0.0.Final or later

Is CVE-2016-4993 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.3-1
>= 10.0.0.Final, < 11.0.0.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4993
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-4993
WEBrhn.redhat.com/errata/RHSA-2016-1838.html
WEBrhn.redhat.com/errata/RHSA-2016-1839.html
WEB