NVD脆弱性詳細

CVE-2016-4975

概要	Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).
公表日	2018年8月14日21:29
登録日	2021年1月26日14:13
最終更新日	2024年11月21日11:53

CVSS3.0 : MEDIUM
スコア	6.1
ベクター	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
スコア	4.3
ベクター	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	はい

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.2.23:::::::*
cpe:2.3:a:apache:http_server:2.4.1:::::::*
cpe:2.3:a:apache:http_server:2.4.20:::::::*
cpe:2.3:a:apache:http_server:2.2.11:::::::*
cpe:2.3:a:apache:http_server:2.2.0:::::::*
cpe:2.3:a:apache:http_server:2.2.31:::::::*
cpe:2.3:a:apache:http_server:2.2.10:::::::*
cpe:2.3:a:apache:http_server:2.4.6:::::::*
cpe:2.3:a:apache:http_server:2.2.13:::::::*
cpe:2.3:a:apache:http_server:2.2.2:::::::*
cpe:2.3:a:apache:http_server:2.4.12:::::::*
cpe:2.3:a:apache:http_server:2.2.4:::::::*
cpe:2.3:a:apache:http_server:2.2.17:::::::*
cpe:2.3:a:apache:http_server:2.2.16:::::::*
cpe:2.3:a:apache:http_server:2.2.21:::::::*
cpe:2.3:a:apache:http_server:2.4.3:::::::*
cpe:2.3:a:apache:http_server:2.4.23:::::::*
cpe:2.3:a:apache:http_server:2.2.8:::::::*
cpe:2.3:a:apache:http_server:2.4.4:::::::*
cpe:2.3:a:apache:http_server:2.4.10:::::::*
cpe:2.3:a:apache:http_server:2.4.7:::::::*
cpe:2.3:a:apache:http_server:2.2.14:::::::*
cpe:2.3:a:apache:http_server:2.2.24:::::::*
cpe:2.3:a:apache:http_server:2.2.25:::::::*
cpe:2.3:a:apache:http_server:2.2.6:::::::*
cpe:2.3:a:apache:http_server:2.2.22:::::::*
cpe:2.3:a:apache:http_server:2.2.19:::::::*
cpe:2.3:a:apache:http_server:2.2.27:::::::*
cpe:2.3:a:apache:http_server:2.2.9:::::::*
cpe:2.3:a:apache:http_server:2.4.18:::::::*
cpe:2.3:a:apache:http_server:2.2.18:::::::*
cpe:2.3:a:apache:http_server:2.2.12:::::::*
cpe:2.3:a:apache:http_server:2.2.29:::::::*
cpe:2.3:a:apache:http_server:2.2.3:::::::*
cpe:2.3:a:apache:http_server:2.4.2:::::::*
cpe:2.3:a:apache:http_server:2.2.15:::::::*
cpe:2.3:a:apache:http_server:2.2.20:::::::*
cpe:2.3:a:apache:http_server:2.4.17:::::::*
cpe:2.3:a:apache:http_server:2.4.16:::::::*
cpe:2.3:a:apache:http_server:2.4.9:::::::*
cpe:2.3:a:apache:http_server:2.2.26:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://www.securityfocus.com/bid/105093	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/105093	Third Party Advisory VDB Entry
3	https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975	Vendor Advisory
4	https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975	Vendor Advisory
5	https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975	Vendor Advisory
6	https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975	Vendor Advisory
7	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
8	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
9	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
10	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
11	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
12	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
13	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
14	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
15	https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E
16	https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E
17	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
18	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
19	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
20	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
21	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
22	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
23	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
24	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
25	https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
26	https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
27	https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
28	https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
29	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
30	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
31	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
32	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
33	https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
34	https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
35	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
36	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
37	https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
38	https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
39	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
40	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
41	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
42	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
43	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
44	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
45	https://security.netapp.com/advisory/ntap-20180926-0006/	Third Party Advisory
46	https://security.netapp.com/advisory/ntap-20180926-0006/	Third Party Advisory
47	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us
48	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-93	CRLF インジェクション	https://cwe.mitre.org/data/definitions/93.html

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.2.23:::::::*
cpe:2.3:a:apache:http_server:2.4.1:::::::*
cpe:2.3:a:apache:http_server:2.4.20:::::::*
cpe:2.3:a:apache:http_server:2.2.11:::::::*
cpe:2.3:a:apache:http_server:2.2.0:::::::*
cpe:2.3:a:apache:http_server:2.2.31:::::::*
cpe:2.3:a:apache:http_server:2.2.10:::::::*
cpe:2.3:a:apache:http_server:2.4.6:::::::*
cpe:2.3:a:apache:http_server:2.2.13:::::::*
cpe:2.3:a:apache:http_server:2.2.2:::::::*
cpe:2.3:a:apache:http_server:2.4.12:::::::*
cpe:2.3:a:apache:http_server:2.2.4:::::::*
cpe:2.3:a:apache:http_server:2.2.17:::::::*
cpe:2.3:a:apache:http_server:2.2.16:::::::*
cpe:2.3:a:apache:http_server:2.2.21:::::::*
cpe:2.3:a:apache:http_server:2.4.3:::::::*
cpe:2.3:a:apache:http_server:2.4.23:::::::*
cpe:2.3:a:apache:http_server:2.2.8:::::::*
cpe:2.3:a:apache:http_server:2.4.4:::::::*
cpe:2.3:a:apache:http_server:2.4.10:::::::*
cpe:2.3:a:apache:http_server:2.4.7:::::::*
cpe:2.3:a:apache:http_server:2.2.14:::::::*
cpe:2.3:a:apache:http_server:2.2.24:::::::*
cpe:2.3:a:apache:http_server:2.2.25:::::::*
cpe:2.3:a:apache:http_server:2.2.6:::::::*
cpe:2.3:a:apache:http_server:2.2.22:::::::*
cpe:2.3:a:apache:http_server:2.2.19:::::::*
cpe:2.3:a:apache:http_server:2.2.27:::::::*
cpe:2.3:a:apache:http_server:2.2.9:::::::*
cpe:2.3:a:apache:http_server:2.4.18:::::::*
cpe:2.3:a:apache:http_server:2.2.18:::::::*
cpe:2.3:a:apache:http_server:2.2.12:::::::*
cpe:2.3:a:apache:http_server:2.2.29:::::::*
cpe:2.3:a:apache:http_server:2.2.3:::::::*
cpe:2.3:a:apache:http_server:2.4.2:::::::*
cpe:2.3:a:apache:http_server:2.2.15:::::::*
cpe:2.3:a:apache:http_server:2.2.20:::::::*
cpe:2.3:a:apache:http_server:2.4.17:::::::*
cpe:2.3:a:apache:http_server:2.4.16:::::::*
cpe:2.3:a:apache:http_server:2.4.9:::::::*
cpe:2.3:a:apache:http_server:2.2.26:::::::*