Vulnerability Details CVE-2016-2216
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 83.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 4.3
References
- http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis/
- http://info.safebreach.com/hubfs/Node-js-Response-Splitting.pdf
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html
- http://packetstormsecurity.com/files/135711/Node.js-HTTP-Response-Splitting.html
- http://www.securityfocus.com/bid/83141
- https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
- https://security.gentoo.org/glsa/201612-43
- http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-root-cause-analysis/
- http://info.safebreach.com/hubfs/Node-js-Response-Splitting.pdf
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177184.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177673.html
- http://packetstormsecurity.com/files/135711/Node.js-HTTP-Response-Splitting.html
- http://www.securityfocus.com/bid/83141
- https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
- https://security.gentoo.org/glsa/201612-43
Products affected by CVE-2016-2216
-
cpe:2.3:a:nodejs:node.js:0.10.0
-
cpe:2.3:a:nodejs:node.js:0.10.1
-
cpe:2.3:a:nodejs:node.js:0.10.10
-
cpe:2.3:a:nodejs:node.js:0.10.11
-
cpe:2.3:a:nodejs:node.js:0.10.12
-
cpe:2.3:a:nodejs:node.js:0.10.13
-
cpe:2.3:a:nodejs:node.js:0.10.14
-
cpe:2.3:a:nodejs:node.js:0.10.15
-
cpe:2.3:a:nodejs:node.js:0.10.16
-
cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual
-
cpe:2.3:a:nodejs:node.js:0.10.17
-
cpe:2.3:a:nodejs:node.js:0.10.18
-
cpe:2.3:a:nodejs:node.js:0.10.19
-
cpe:2.3:a:nodejs:node.js:0.10.2
-
cpe:2.3:a:nodejs:node.js:0.10.20
-
cpe:2.3:a:nodejs:node.js:0.10.21
-
cpe:2.3:a:nodejs:node.js:0.10.22
-
cpe:2.3:a:nodejs:node.js:0.10.23
-
cpe:2.3:a:nodejs:node.js:0.10.24
-
cpe:2.3:a:nodejs:node.js:0.10.25
-
cpe:2.3:a:nodejs:node.js:0.10.26
-
cpe:2.3:a:nodejs:node.js:0.10.27
-
cpe:2.3:a:nodejs:node.js:0.10.28
-
cpe:2.3:a:nodejs:node.js:0.10.29
-
cpe:2.3:a:nodejs:node.js:0.10.3
-
cpe:2.3:a:nodejs:node.js:0.10.30
-
cpe:2.3:a:nodejs:node.js:0.10.31
-
cpe:2.3:a:nodejs:node.js:0.10.32
-
cpe:2.3:a:nodejs:node.js:0.10.33
-
cpe:2.3:a:nodejs:node.js:0.10.34
-
cpe:2.3:a:nodejs:node.js:0.10.35
-
cpe:2.3:a:nodejs:node.js:0.10.36
-
cpe:2.3:a:nodejs:node.js:0.10.37
-
cpe:2.3:a:nodejs:node.js:0.10.38
-
cpe:2.3:a:nodejs:node.js:0.10.39
-
cpe:2.3:a:nodejs:node.js:0.10.4
-
cpe:2.3:a:nodejs:node.js:0.10.40
-
cpe:2.3:a:nodejs:node.js:0.10.41
-
cpe:2.3:a:nodejs:node.js:0.10.5
-
cpe:2.3:a:nodejs:node.js:0.10.6
-
cpe:2.3:a:nodejs:node.js:0.10.7
-
cpe:2.3:a:nodejs:node.js:0.10.8
-
cpe:2.3:a:nodejs:node.js:0.10.9
-
cpe:2.3:a:nodejs:node.js:0.11.10
-
cpe:2.3:a:nodejs:node.js:0.11.11
-
cpe:2.3:a:nodejs:node.js:0.11.12
-
cpe:2.3:a:nodejs:node.js:0.11.13
-
cpe:2.3:a:nodejs:node.js:0.11.14
-
cpe:2.3:a:nodejs:node.js:0.11.15
-
cpe:2.3:a:nodejs:node.js:0.11.16
-
cpe:2.3:a:nodejs:node.js:0.11.6
-
cpe:2.3:a:nodejs:node.js:0.11.7
-
cpe:2.3:a:nodejs:node.js:0.11.8
-
cpe:2.3:a:nodejs:node.js:0.11.9
-
cpe:2.3:a:nodejs:node.js:0.12.0
-
cpe:2.3:a:nodejs:node.js:0.12.1
-
cpe:2.3:a:nodejs:node.js:0.12.2
-
cpe:2.3:a:nodejs:node.js:0.12.3
-
cpe:2.3:a:nodejs:node.js:0.12.4
-
cpe:2.3:a:nodejs:node.js:0.12.5
-
cpe:2.3:a:nodejs:node.js:0.12.6
-
cpe:2.3:a:nodejs:node.js:0.12.7
-
cpe:2.3:a:nodejs:node.js:0.12.8
-
cpe:2.3:a:nodejs:node.js:0.12.9
-
cpe:2.3:a:nodejs:node.js:4.0.0
-
cpe:2.3:a:nodejs:node.js:4.1.0
-
cpe:2.3:a:nodejs:node.js:4.1.1
-
cpe:2.3:a:nodejs:node.js:4.1.2
-
cpe:2.3:a:nodejs:node.js:4.2.0
-
cpe:2.3:a:nodejs:node.js:4.2.1
-
cpe:2.3:a:nodejs:node.js:4.2.2
-
cpe:2.3:a:nodejs:node.js:4.2.3
-
cpe:2.3:a:nodejs:node.js:4.2.4
-
cpe:2.3:a:nodejs:node.js:4.2.5
-
cpe:2.3:a:nodejs:node.js:4.2.6
-
cpe:2.3:a:nodejs:node.js:5.0.0
-
cpe:2.3:a:nodejs:node.js:5.1.0
-
cpe:2.3:a:nodejs:node.js:5.1.1
-
cpe:2.3:a:nodejs:node.js:5.2.0
-
cpe:2.3:a:nodejs:node.js:5.3.0
-
cpe:2.3:a:nodejs:node.js:5.4.0
-
cpe:2.3:a:nodejs:node.js:5.4.1
-
cpe:2.3:a:nodejs:node.js:5.5.0
-
cpe:2.3:o:fedoraproject:fedora:22
-
cpe:2.3:o:fedoraproject:fedora:23