{"id":"CVE-2016-4975","details":"Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the \"Location\" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).","modified":"2026-04-10T03:50:06.296577Z","published":"2018-08-14T12:29:00.220Z","related":["SUSE-SU-2018:2554-1","SUSE-SU-2018:2815-1","SUSE-SU-2018:2815-2"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us"},{"type":"WEB","url":"https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180926-0006/"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105093"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/httpd","events":[{"introduced":"0"},{"last_affected":"cd3e5a83cd5765d12b3237631c829eaff80f8425"},{"introduced":"0"},{"last_affected":"1c7da70e72d96fa72244bd032d89769c1399b5f7"},{"introduced":"0"},{"last_affected":"43559342e30402bbca6ca84ab88a533f118bf444"},{"introduced":"0"},{"last_affected":"8dfd45d1f67969afa0b95faf03a9fc283e0c5b63"},{"introduced":"0"},{"last_affected":"9e1e5d76b296e7e00ba8f56c6976cf8bd69a0e4e"},{"introduced":"0"},{"last_affected":"8fa038317b96b70e04656aadb2ab20e3212a6e87"},{"introduced":"0"},{"last_affected":"0cddd3aa8709b50b3c1d52b478defeb91f230ce1"},{"introduced":"0"},{"last_affected":"32d03a287f8f33adcc7af96844089cff5ce2ca09"},{"introduced":"0"},{"last_affected":"34ea1cee78449ff1081267cd2348a01099b04ac9"},{"introduced":"0"},{"last_affected":"810842a1dc70b67ac82fd53e09250b8bb7dbe27d"},{"introduced":"0"},{"last_affected":"777e5a254758046a13ebeaf09fa4af6467bf8910"},{"introduced":"0"},{"last_affected":"926546a5bb798796aec1135994c6c242529e1d94"},{"introduced":"0"},{"last_affected":"cad4926fd376fd483859ab4b1871b3e9473cae01"},{"introduced":"0"},{"last_affected":"f54aa3b08da564fb8e1664f770ce2c083b8a0c69"},{"introduced":"0"},{"last_affected":"87777f4289970214d3fcf2885dbf01188371b738"},{"introduced":"0"},{"last_affected":"ea2107f62fec7368c0d07294626d92921cffa794"},{"introduced":"0"},{"last_affected":"f6204293872d3345bea724149b9d9cc3878e61be"},{"introduced":"0"},{"last_affected":"79399902e001e6edac9a0314f2e2e6dc580640a0"},{"introduced":"0"},{"last_affected":"3614ebd12db5e555ac7f2975afa530116d204335"},{"introduced":"0"},{"last_affected":"a5fd1e3e9921e87e9c5526198e8bdc8db6b75061"},{"introduced":"0"},{"last_affected":"647bc6a13a11ae7772391170fd176ad8b8846b87"},{"introduced":"0"},{"last_affected":"803b3cbae02b4f7562bbcdf5f9d7fd82f4cf48cf"},{"introduced":"0"},{"last_affected":"886787685c97f9c392adca5ac29d3e8bd3aef7c5"},{"introduced":"0"},{"last_affected":"82b0da5c50d9e1c226b1eaa2e7780921be1386b3"},{"introduced":"0"},{"last_affected":"7b5870f6ce45d2a1baef173e8a634e6044434943"},{"introduced":"0"},{"last_affected":"cef6805cb18886c5454a38f3501c5e3c990c0b3d"},{"introduced":"0"},{"last_affected":"79f35160c372de1e867542e1705962fb0880a647"},{"introduced":"0"},{"last_affected":"60fa04727910859b5512f7bbb36c53c4652cff2c"},{"introduced":"0"},{"last_affected":"67578c0315accbca1bba22d695c59d51197c99cc"},{"introduced":"0"},{"last_affected":"14434f9be6e1624a4b3070b0df00901fb62e9ca4"},{"introduced":"0"},{"last_affected":"408b0bd76056d59fa1d46deab60904b816f0d119"},{"introduced":"0"},{"last_affected":"7650f0ca88028593a7c5fbba2e20bca4a65b031d"},{"introduced":"0"},{"last_affected":"f2b561181dbd0c689fd583c60878ce05854ec5f9"},{"introduced":"0"},{"last_affected":"7ea253ccfeaec99b5684c909dce6d9a6d7ee6486"},{"introduced":"0"},{"last_affected":"015ab81d44c1f6def12fdbb7dc8d8241bf8e3ef5"},{"introduced":"0"},{"last_affected":"1287b680fbde78d9289029b6a6b63a3f9e58d704"},{"introduced":"0"},{"last_affected":"2d1deb10cfafe25ade7f30307e13b6d0c21a5473"},{"introduced":"0"},{"last_affected":"47a9d8e8abf5697b4580c3ee2ade302b5c058fa6"},{"introduced":"0"},{"last_affected":"b7ef32c4957883ab17105fa82e6331bf48bed78a"},{"introduced":"0"},{"last_affected":"6e65a7f3dadcade4274ae53f734d4c35188e3786"},{"introduced":"0"},{"last_affected":"ef07cb031c6f8f7ac483c26fc858aad68c365fd9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"2.2.2"},{"introduced":"0"},{"last_affected":"2.2.3"},{"introduced":"0"},{"last_affected":"2.2.4"},{"introduced":"0"},{"last_affected":"2.2.6"},{"introduced":"0"},{"last_affected":"2.2.8"},{"introduced":"0"},{"last_affected":"2.2.9"},{"introduced":"0"},{"last_affected":"2.2.10"},{"introduced":"0"},{"last_affected":"2.2.11"},{"introduced":"0"},{"last_affected":"2.2.12"},{"introduced":"0"},{"last_affected":"2.2.13"},{"introduced":"0"},{"last_affected":"2.2.14"},{"introduced":"0"},{"last_affected":"2.2.15"},{"introduced":"0"},{"last_affected":"2.2.16"},{"introduced":"0"},{"last_affected":"2.2.17"},{"introduced":"0"},{"last_affected":"2.2.18"},{"introduced":"0"},{"last_affected":"2.2.19"},{"introduced":"0"},{"last_affected":"2.2.20"},{"introduced":"0"},{"last_affected":"2.2.21"},{"introduced":"0"},{"last_affected":"2.2.22"},{"introduced":"0"},{"last_affected":"2.2.23"},{"introduced":"0"},{"last_affected":"2.2.24"},{"introduced":"0"},{"last_affected":"2.2.25"},{"introduced":"0"},{"last_affected":"2.2.26"},{"introduced":"0"},{"last_affected":"2.2.27"},{"introduced":"0"},{"last_affected":"2.2.29"},{"introduced":"0"},{"last_affected":"2.2.31"},{"introduced":"0"},{"last_affected":"2.4.1"},{"introduced":"0"},{"last_affected":"2.4.2"},{"introduced":"0"},{"last_affected":"2.4.3"},{"introduced":"0"},{"last_affected":"2.4.4"},{"introduced":"0"},{"last_affected":"2.4.6"},{"introduced":"0"},{"last_affected":"2.4.7"},{"introduced":"0"},{"last_affected":"2.4.9"},{"introduced":"0"},{"last_affected":"2.4.10"},{"introduced":"0"},{"last_affected":"2.4.12"},{"introduced":"0"},{"last_affected":"2.4.16"},{"introduced":"0"},{"last_affected":"2.4.17"},{"introduced":"0"},{"last_affected":"2.4.18"},{"introduced":"0"},{"last_affected":"2.4.20"},{"introduced":"0"},{"last_affected":"2.4.23"}]}}],"versions":["2.1.10","2.2.0","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.19","2.2.2","2.2.20","2.2.21","2.2.22","2.2.23","2.2.24","2.2.25","2.2.26","2.2.27","2.2.29","2.2.3","2.2.31","2.2.4","2.2.6","2.2.8","2.2.9","2.4.1","2.4.10","2.4.12","2.4.16","2.4.17","2.4.18","2.4.2","2.4.20","2.4.23","2.4.3","2.4.4","2.4.6","2.4.7","2.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4975.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}