{"id":"CVE-2016-4993","details":"CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.","aliases":["GHSA-qcqr-hcjq-whfq"],"modified":"2026-04-10T03:50:06.476300Z","published":"2016-09-26T14:59:03.117Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/92894"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1840.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1841.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3455"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3456"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3458"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1838.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1839.html"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036758"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3454"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1344321"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wildfly/wildfly","events":[{"introduced":"0"},{"last_affected":"991cee17686a42b12409d4f25eafbd1a5d836e4b"},{"introduced":"0"},{"last_affected":"f52e8d79b9eff90b8c063e1c96d1c37be746c807"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.0.1"},{"introduced":"0"},{"last_affected":"10.0.0"}]}}],"versions":["10.0.0.Alpha1","10.0.0.Alpha2","10.0.0.Alpha3","10.0.0.Alpha4","10.0.0.Alpha5","10.0.0.Alpha6","10.0.0.Beta1","10.0.0.Beta2","10.0.0.CR1","10.0.0.CR2","10.0.0.CR3","10.0.0.CR4","10.0.0.CR5","10.0.0.Final","7.0.0.Alpha1","7.0.0.Alpha1-final","7.0.0.Beta1-prerelease","7.0.0.Beta2","7.0.0.Beta2-prerelease","7.0.0.Beta3","7.0.0.CR1","7.0.0.Final","7.0.0.Final-prerelease","7.0.0.Final-prerelease2","7.0.0.Final-prerelease3","7.0.1.Final","7.1.0.Alpha1","7.1.0.Beta1","7.1.0.CR1","7.1.0.Final","7.1.0.Final-prerelease","7.1.0.Final-prerelease2","7.1.1.Final","7.1.2-prerelease","7.1.2.Final","7.2.0.Final","7.2.0.Final-prerelease1","8.0.0.Alpha1","8.0.0.Alpha2","8.0.0.Alpha3","8.0.0.Alpha4","8.0.0.Beta1","8.0.0.CR1","8.0.0.Final","8.1.0.CR1","8.1.0.CR2","9.0.0.Beta1","9.0.0.Beta2","9.0.0.CR1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4993.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}