CVE-2002-1405 - OpenCVE

CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Elinks	Elinks
Links	Links
University Of Kansas	Lynx

Configuration 1 [-]

OR	cpe:2.3:a:elinks:elinks:0.2.4:::::::*
	cpe:2.3:a:elinks:elinks:0.3.2:::::::*
	cpe:2.3:a:links:links:0.96:::::::*
	cpe:2.3:a:university_of_kansas:lynx:2.8.2_rel1:::::::*
	cpe:2.3:a:university_of_kansas:lynx:2.8.3:::::::*
	cpe:2.3:a:university_of_kansas:lynx:2.8.3_rel1:::::::*
	cpe:2.3:a:university_of_kansas:lynx:2.8.4:::::::*
	cpe:2.3:a:university_of_kansas:lynx:2.8.4_rel1:::::::*
	cpe:2.3:a:university_of_kansas:lynx:2.8.5_dev8:::::::*

References

Link	Resource
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt
http://marc.info/?l=bugtraq&m=102978118411977&w=2
http://marc.info/?l=bugtraq&m=103003793418021&w=2
http://www.debian.org/security/2002/dsa-210	Patch Vendor Advisory
http://www.iss.net/security_center/static/9887.php	Patch Vendor Advisory
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023
http://www.redhat.com/support/errata/RHSA-2003-029.html
http://www.redhat.com/support/errata/RHSA-2003-030.html
http://www.securityfocus.com/bid/5499
http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2004-09-01T04:00:00

Updated: 2010-05-21T00:00:00

Reserved: 2003-02-04T00:00:00

Link: CVE-2002-1405

JSON object: View

NVD Information

Status : Modified

Published: 2003-02-19T05:00:00.000

Modified: 2016-10-18T02:26:57.090

Link: CVE-2002-1405

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2002-08-19T00:00:00", "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2010-05-21T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "MDKSA-2003:023", "tags": ["vendor-advisory", "x_refsource_MANDRAKE"], "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023"}, {"name": "RHSA-2003:030", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2003-030.html"}, {"name": "2002-0085", "tags": ["vendor-advisory", "x_refsource_TRUSTIX"], "url": "http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt"}, {"name": "lynx-crlf-injection(9887)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "http://www.iss.net/security_center/static/9887.php"}, {"name": "RHSA-2003:029", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2003-029.html"}, {"name": "20020822 Lynx CRLF Injection, part two", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=103003793418021&w=2"}, {"name": "20020819 Lynx CRLF Injection", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=102978118411977&w=2"}, {"name": "5499", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/5499"}, {"name": "CSSA-2002-049.0", "tags": ["vendor-advisory", "x_refsource_CALDERA"], "url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt"}, {"name": "DSA-210", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2002/dsa-210"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2002-1405", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "MDKSA-2003:023", "refsource": "MANDRAKE", "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023"}, {"name": "RHSA-2003:030", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2003-030.html"}, {"name": "2002-0085", "refsource": "TRUSTIX", "url": "http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt"}, {"name": "lynx-crlf-injection(9887)", "refsource": "XF", "url": "http://www.iss.net/security_center/static/9887.php"}, {"name": "RHSA-2003:029", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2003-029.html"}, {"name": "20020822 Lynx CRLF Injection, part two", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=103003793418021&w=2"}, {"name": "20020819 Lynx CRLF Injection", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=102978118411977&w=2"}, {"name": "5499", "refsource": "BID", "url": "http://www.securityfocus.com/bid/5499"}, {"name": "CSSA-2002-049.0", "refsource": "CALDERA", "url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt"}, {"name": "DSA-210", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2002/dsa-210"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2002-1405", "datePublished": "2004-09-01T04:00:00", "dateReserved": "2003-02-04T00:00:00", "dateUpdated": "2010-05-21T00:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elinks:elinks:0.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "CC9B529C-E151-4468-844A-EF9446175D81", "vulnerable": true}, {"criteria": "cpe:2.3:a:elinks:elinks:0.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "D7DC0333-37D1-40B5-821A-839C1817DA4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:links:links:0.96:*:*:*:*:*:*:*", "matchCriteriaId": "9711D879-CD97-487D-9DC1-5B26145874C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:university_of_kansas:lynx:2.8.2_rel1:*:*:*:*:*:*:*", "matchCriteriaId": "A0387441-C971-487A-8379-1F2B91CD6EC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:university_of_kansas:lynx:2.8.3:*:*:*:*:*:*:*", "matchCriteriaId": "2DA626DE-D9B2-4764-80AA-7D4F499184F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:university_of_kansas:lynx:2.8.3_rel1:*:*:*:*:*:*:*", "matchCriteriaId": "D7680912-C6C7-44BD-AD1B-0828E4F03482", "vulnerable": true}, {"criteria": "cpe:2.3:a:university_of_kansas:lynx:2.8.4:*:*:*:*:*:*:*", "matchCriteriaId": "6033263D-6B30-4002-B9F5-4062FD09B815", "vulnerable": true}, {"criteria": "cpe:2.3:a:university_of_kansas:lynx:2.8.4_rel1:*:*:*:*:*:*:*", "matchCriteriaId": "DCD15F97-2B1A-4C28-B5BC-6B6A6E389831", "vulnerable": true}, {"criteria": "cpe:2.3:a:university_of_kansas:lynx:2.8.5_dev8:*:*:*:*:*:*:*", "matchCriteriaId": "79AB7C16-A5E4-4D7F-B879-5E13917449C3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n de CRLF en Lynx 2.8.4 y anteriores permite a atacantes remotos inyectar cabeceras HTTP falsas en una petici\u00f3n http provista en la linea de comandos, mediante una URL conteniendo un retorno de carro codificado, salto de l\u00ednea, y otros caract\u00e9res espacio en blanco."}], "id": "CVE-2002-1405", "lastModified": "2016-10-18T02:26:57.090", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2003-02-19T05:00:00.000", "references": [{"source": "cve@mitre.org", "url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-049.0.txt"}, {"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=102978118411977&w=2"}, {"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=103003793418021&w=2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.debian.org/security/2002/dsa-210"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.iss.net/security_center/static/9887.php"}, {"source": "cve@mitre.org", "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:023"}, {"source": "cve@mitre.org", "url": "http://www.redhat.com/support/errata/RHSA-2003-029.html"}, {"source": "cve@mitre.org", "url": "http://www.redhat.com/support/errata/RHSA-2003-030.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/5499"}, {"source": "cve@mitre.org", "url": "http://www.trustix.net/errata/misc/2002/TSL-2002-0085-lynx-ssl.asc.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}