Fluid Attacks Database

Description

CRLF injection vulnerability in the ui-blob handler in CGit before 0.12 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via CRLF sequences in the mimetype parameter, as demonstrated by a request to blob/cgit.c.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1
debian 12	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1
debian 14	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1
debian 13	cgit	>=0 <0.11.2.git2.3.2-1.1	0.11.2.git2.3.2-1.1

Aliases

1. CVE-2016-18992. NVD-2016-18993. OSV-DEBIAN-2016-18994. OSV-2016-18995. SECURITY-TRACKER-CVE-2016-1899

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.