CVE-2007-5595 - OpenCVE

CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:H/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

References

Link	Resource
http://drupal.org/node/184315	Vendor Advisory
http://secunia.com/advisories/27292	Third Party Advisory
http://secunia.com/advisories/27352	Third Party Advisory
http://www.securityfocus.com/bid/26119	Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2007/3546	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/37264	Third Party Advisory VDB Entry
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-10-19T23:00:00

Updated: 2017-07-28T12:57:01

Reserved: 2007-10-19T00:00:00

Link: CVE-2007-5595

JSON object: View

NVD Information

Status : Analyzed

Published: 2007-10-19T23:17:00.000

Modified: 2018-10-26T14:13:00.390

Link: CVE-2007-5595

JSON object: View

Redhat Information

No data.

CWE

CWE-113

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-10-17T00:00:00", "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/184315"}, {"name": "ADV-2007-3546", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"name": "drupal-unspecified-response-splitting(37264)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37264"}, {"name": "27292", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27292"}, {"name": "FEDORA-2007-2649", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}, {"name": "27352", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/27352"}, {"name": "26119", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/26119"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-5595", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://drupal.org/node/184315", "refsource": "CONFIRM", "url": "http://drupal.org/node/184315"}, {"name": "ADV-2007-3546", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"name": "drupal-unspecified-response-splitting(37264)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37264"}, {"name": "27292", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/27292"}, {"name": "FEDORA-2007-2649", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}, {"name": "27352", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/27352"}, {"name": "26119", "refsource": "BID", "url": "http://www.securityfocus.com/bid/26119"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-5595", "datePublished": "2007-10-19T23:00:00", "dateReserved": "2007-10-19T00:00:00", "dateUpdated": "2017-07-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA9F6D81-D535-4A16-8268-E90705A904DC", "versionEndExcluding": "4.7.8", "versionStartIncluding": "4.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC052F7E-A193-434A-B239-0CC3FB371758", "versionEndExcluding": "5.3", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n CRLF (CR (retorno de carro) y LF (salto de l\u00ednea)) en la funci\u00f3n drupal_goto del includes/common.inc Drupal 4.7.x anterior al 4.7.8 y el 5.x anterior al 5.3 permite a atacantes remotos la inyecci\u00f3n de cabeceras HTTP de su elecci\u00f3n y llevar a cabo ataques de divisi\u00f3n de respuesta HTTP a trav\u00e9s de vectores sin especificar."}], "id": "CVE-2007-5595", "lastModified": "2018-10-26T14:13:00.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-10-19T23:17:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://drupal.org/node/184315"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/27292"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/27352"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/26119"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2007/3546"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37264"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "nvd@nist.gov", "type": "Primary"}]}