CVE-2018-1319 - OpenCVE

In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Allura

Configuration 1 [-]

cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/103434	Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/22b74bc4002091157ec2bddf9fa3b7643ffaa77aa6cb85562f0e30da%40%3Cdev.allura.apache.org%3E

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2018-03-15T00:00:00

Updated: 2018-03-20T09:57:01

Reserved: 2017-12-07T00:00:00

Link: CVE-2018-1319

JSON object: View

NVD Information

Status : Modified

Published: 2018-03-15T20:29:00.220

Modified: 2023-11-07T02:55:57.770

Link: CVE-2018-1319

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"containers": {"cna": {"affected": [{"product": "Apache Allura", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "prior to 1.8.1"}]}], "datePublic": "2018-03-15T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session."}], "problemTypes": [{"descriptions": [{"description": "HTTP response splitting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-20T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[dev] 20180315 [SECURITY] CVE-2018-1319 Apache Allura HTTP response splitting", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/22b74bc4002091157ec2bddf9fa3b7643ffaa77aa6cb85562f0e30da%40%3Cdev.allura.apache.org%3E"}, {"name": "103434", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103434"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-03-15T00:00:00", "ID": "CVE-2018-1319", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Allura", "version": {"version_data": [{"version_value": "prior to 1.8.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "HTTP response splitting"}]}]}, "references": {"reference_data": [{"name": "[dev] 20180315 [SECURITY] CVE-2018-1319 Apache Allura HTTP response splitting", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/22b74bc4002091157ec2bddf9fa3b7643ffaa77aa6cb85562f0e30da@%3Cdev.allura.apache.org%3E"}, {"name": "103434", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103434"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-1319", "datePublished": "2018-03-15T00:00:00", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2018-03-20T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C89E4CD-7818-4D85-AE51-88AADC2EF239", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session."}, {"lang": "es", "value": "En las versiones anteriores a la 1.8.1 de Apache Allure, los atacantes podr\u00edan crear URL manipuladas que hagan que las respuestas HTTP se dividan. Si una v\u00edctima accede a una URL manipulada maliciosamente, pueden ocurrir resultados no deseados como Cross-Site Scripting (XSS) o denegaciones de servicio en la sesi\u00f3n de navegaci\u00f3n de la v\u00edctima."}], "id": "CVE-2018-1319", "lastModified": "2023-11-07T02:55:57.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-15T20:29:00.220", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103434"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/22b74bc4002091157ec2bddf9fa3b7643ffaa77aa6cb85562f0e30da%40%3Cdev.allura.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}