CVE-2008-3906

CVE	CVE-2008-3906
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2008-09-04 17:41:00 UTC
Updated	2018-10-11 20:50:00 UTC
Description	CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.

Problem Types: CWE-20

Type	Vendor	Product	Version	Update	Edition	Language
Application	Mono	Mono	1.0	All	All	All
Application	Mono	Mono	1.0.5	All	All	All
Application	Mono	Mono	1.1.13	All	All	All
Application	Mono	Mono	1.1.13.4	All	All	All
Application	Mono	Mono	1.1.13.6	All	All	All
Application	Mono	Mono	1.1.13.7	All	All	All
Application	Mono	Mono	1.1.17	All	All	All
Application	Mono	Mono	1.1.17.1	All	All	All
Application	Mono	Mono	1.1.18	All	All	All
Application	Mono	Mono	1.1.4	All	All	All
Application	Mono	Mono	1.1.8.3	All	All	All
Application	Mono	Mono	1.2.5.1	All	All	All
Application	Mono	Mono	1.0	All	All	All
Application	Mono	Mono	1.0.5	All	All	All
Application	Mono	Mono	1.1.13	All	All	All
Application	Mono	Mono	1.1.13.4	All	All	All
Application	Mono	Mono	1.1.13.6	All	All	All
Application	Mono	Mono	1.1.13.7	All	All	All
Application	Mono	Mono	1.1.17	All	All	All
Application	Mono	Mono	1.1.17.1	All	All	All
Application	Mono	Mono	1.1.18	All	All	All
Application	Mono	Mono	1.1.4	All	All	All
Application	Mono	Mono	1.1.8.3	All	All	All
Application	Mono	Mono	1.2.5.1	All	All	All
Application	Mono Project	Mono	1.2.1	All	All	All
Application	Mono Project	Mono	1.2.2	All	All	All
Application	Mono Project	Mono	1.2.3	All	All	All
Application	Mono Project	Mono	1.2.4	All	All	All
Application	Mono Project	Mono	1.2.5	All	All	All
Application	Mono Project	Mono	1.2.6	All	All	All
Application	Mono Project	Mono	1.9	All	All	All
Application	Mono Project	Mono	1.2.1	All	All	All
Application	Mono Project	Mono	1.2.2	All	All	All
Application	Mono Project	Mono	1.2.3	All	All	All
Application	Mono Project	Mono	1.2.4	All	All	All
Application	Mono Project	Mono	1.2.5	All	All	All
Application	Mono Project	Mono	1.2.6	All	All	All
Application	Mono Project	Mono	1.9	All	All	All
Application	Mono Project	Mono	All	All	All	All

Reference	Source	Link	Tags
USN-826-1: Mono vulnerabilities \| Ubuntu security notices	UBUNTU	usn.ubuntu.com
oss-security - CVE request: mono Sys.Web header injection	MLIST	www.openwall.com
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
Mono 'System.Web' HTTP Header Injection Vulnerability	BID	www.securityfocus.com	Exploit
Support / Security / Advisories / / MDVSA-2008:210 \| Mandriva	MANDRIVA	www.mandriva.com
Mono Sys.Web HTTP Header Injection Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com	Vendor Advisory
Ubuntu update for mono - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com
wiki.rpath.com/wiki/Advisories:rPSA-2008-0286	CONFIRM	wiki.rpath.com
Webmail - OVH	VUPEN	www.vupen.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
Bug 418620 – Sys.Web is prone to "HTTP header injection" attacks	CONFIRM	bugzilla.novell.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.