CVE-2016-1900

Published on: 01/20/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:04 PM UTC

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Certain versions of Cgit from Cgit Project contain the following vulnerability:

CRLF injection vulnerability in the cgit_print_http_headers function in ui-shared.c in CGit before 0.12 allows remote attackers with permission to write to a repository to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via newline characters in a filename.

  • CVE-2016-1900 has been assigned by [email protected] to track the vulnerability - currently rated as LOW severity.

CVSS3 Score: 3.7 - LOW

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE LOW NONE

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
XSS in cgit lists.zx2c4.com
text/html
URL Logo MLIST [CGit] 20160113 XSS in cgit
openSUSE-SU-2016:0218-1: moderate: Security update for cgit lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0218
[SECURITY] Fedora 22 Update: cgit-0.12-1.fc22 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-215b507409
openSUSE-SU-2016:0196-1: moderate: Security update for cgit lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0196
[ANNOUNCE] CGIT v0.12 Released Patch
lists.zx2c4.com
text/html
URL Logo MLIST [CGit] 20160114 [ANNOUNCE] CGIT v0.12 Released
cgit - A hyperfast web frontend for git repositories written in C. git.zx2c4.com
text/html
URL Logo CONFIRM git.zx2c4.com/cgit/commit/?id=513b3863d999f91b47d7e9f26710390db55f9463
oss-security - CVE Request: CGit - Multiple vulnerabilities Patch
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160114 CVE Request: CGit - Multiple vulnerabilities
oss-security - Re: CVE Request: CGit - Multiple vulnerabilities www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160114 Re: CVE Request: CGit - Multiple vulnerabilities
Debian -- Security Information -- DSA-3545-1 cgit www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-3545
[SECURITY] Fedora 23 Update: cgit-0.12-1.fc23 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-e5a5fb196f

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationCgit ProjectCgitAllAllAllAll
Operating
System
FedoraprojectFedora22AllAllAll
Operating
System
FedoraprojectFedora22AllAllAll
  • cpe:2.3:a:cgit_project:cgit:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*: