CVE-2016-0359

high-risk

Published 2016-07-03

CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10, and 8.5 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

Do I need to act?

-

0.31% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

6

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Websphere Application Server

Affected Vendors

Ibm

References (8)

http://www-01.ibm.com/support/docview.wss?uid=swg1PI58918

Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21982526

http://www.securityfocus.com/bid/91484

http://www.securitytracker.com/id/1036184

http://www-01.ibm.com/support/docview.wss?uid=swg1PI58918

Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21982526

http://www.securityfocus.com/bid/91484

http://www.securitytracker.com/id/1036184

51

/ 100

high-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 27/34 · High