Fluid Attacks Database

Description

CRLF injection vulnerability in the cgit_print_http_headers function in ui-shared.c in CGit before 0.12 allows remote attackers with permission to write to a repository to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via newline characters in a filename.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1
debian 14	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1
debian 11	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1
debian 13	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1

Aliases

1. CVE-2016-19002. NVD-2016-19003. OSV-DEBIAN-2016-19004. OSV-2016-19005. SECURITY-TRACKER-CVE-2016-1900

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.