CVE-2008-0456

NameCVE-2008-0456
DescriptionCRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)jessie, jessie (lts)2.4.10-10+deb8u29vulnerable
stretch (security)2.4.25-3+deb9u13vulnerable
stretch (lts), stretch2.4.25-3+deb9u19vulnerable
buster, buster (lts)2.4.59-1~deb10u4vulnerable
buster (security)2.4.59-1~deb10u1vulnerable
bullseye2.4.62-1~deb11u1vulnerable
bullseye (security)2.4.62-1~deb11u2vulnerable
bookworm (security), bookworm2.4.62-1~deb12u2vulnerable
sid, trixie2.4.62-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apachesource(unstable)(unfixed)unimportant
apache2source(unstable)(unfixed)unimportant

Notes

This is only relevant if an attacker can upload files with arbitrary names
but not with arbitrary contents.

Search for package or bug name: Reporting problems