2.6
CWE
74 93
Advisory Published
Updated

CVE-2008-0456: CRLF Injection

First published: Fri Jan 25 2008(Updated: )

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Apache HTTP Server>=2.2.0<2.2.12
Red Hat Enterprise Linux Server=5.0
Red Hat Enterprise Linux Workstation=5.0
Red Hat Enterprise Linux Desktop=5.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2008-0456?

    CVE-2008-0456 is classified as a medium severity vulnerability.

  • How do I fix CVE-2008-0456?

    To fix CVE-2008-0456, update your Apache HTTP Server to version 2.2.12 or later.

  • Which versions of Apache are affected by CVE-2008-0456?

    CVE-2008-0456 affects Apache HTTP Server versions 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series.

  • What type of attack can be executed using CVE-2008-0456?

    CVE-2008-0456 allows remote authenticated users to inject arbitrary HTTP headers, potentially leading to HTTP response splitting attacks.

  • Is CVE-2008-0456 specific to any operating system?

    CVE-2008-0456 is not operating system specific but affects Apache installations running on platforms like Red Hat Enterprise Linux.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203