{"id":"CVE-2016-4975","details":"Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the \"Location\" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).","modified":"2026-05-14T06:31:03.395714820Z","published":"2018-08-14T12:29:00.220Z","related":["SUSE-SU-2018:2554-1","SUSE-SU-2018:2815-1","SUSE-SU-2018:2815-2"],"database_specific":{},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"},{"type":"WEB","url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105093"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180926-0006/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/httpd","events":[{"introduced":"0"},{"last_affected":"cd3e5a83cd5765d12b3237631c829eaff80f8425"},{"last_affected":"1c7da70e72d96fa72244bd032d89769c1399b5f7"},{"last_affected":"43559342e30402bbca6ca84ab88a533f118bf444"},{"last_affected":"8dfd45d1f67969afa0b95faf03a9fc283e0c5b63"},{"last_affected":"9e1e5d76b296e7e00ba8f56c6976cf8bd69a0e4e"},{"last_affected":"8fa038317b96b70e04656aadb2ab20e3212a6e87"},{"last_affected":"0cddd3aa8709b50b3c1d52b478defeb91f230ce1"},{"last_affected":"32d03a287f8f33adcc7af96844089cff5ce2ca09"},{"last_affected":"34ea1cee78449ff1081267cd2348a01099b04ac9"},{"last_affected":"810842a1dc70b67ac82fd53e09250b8bb7dbe27d"},{"last_affected":"777e5a254758046a13ebeaf09fa4af6467bf8910"},{"last_affected":"926546a5bb798796aec1135994c6c242529e1d94"},{"last_affected":"cad4926fd376fd483859ab4b1871b3e9473cae01"},{"last_affected":"f54aa3b08da564fb8e1664f770ce2c083b8a0c69"},{"last_affected":"87777f4289970214d3fcf2885dbf01188371b738"},{"last_affected":"ea2107f62fec7368c0d07294626d92921cffa794"},{"last_affected":"f6204293872d3345bea724149b9d9cc3878e61be"},{"last_affected":"79399902e001e6edac9a0314f2e2e6dc580640a0"},{"last_affected":"3614ebd12db5e555ac7f2975afa530116d204335"},{"last_affected":"a5fd1e3e9921e87e9c5526198e8bdc8db6b75061"},{"last_affected":"647bc6a13a11ae7772391170fd176ad8b8846b87"},{"last_affected":"803b3cbae02b4f7562bbcdf5f9d7fd82f4cf48cf"},{"last_affected":"886787685c97f9c392adca5ac29d3e8bd3aef7c5"},{"last_affected":"82b0da5c50d9e1c226b1eaa2e7780921be1386b3"},{"last_affected":"7b5870f6ce45d2a1baef173e8a634e6044434943"},{"last_affected":"cef6805cb18886c5454a38f3501c5e3c990c0b3d"},{"last_affected":"79f35160c372de1e867542e1705962fb0880a647"},{"last_affected":"60fa04727910859b5512f7bbb36c53c4652cff2c"},{"last_affected":"67578c0315accbca1bba22d695c59d51197c99cc"},{"last_affected":"14434f9be6e1624a4b3070b0df00901fb62e9ca4"},{"last_affected":"408b0bd76056d59fa1d46deab60904b816f0d119"},{"last_affected":"7650f0ca88028593a7c5fbba2e20bca4a65b031d"},{"last_affected":"f2b561181dbd0c689fd583c60878ce05854ec5f9"},{"last_affected":"7ea253ccfeaec99b5684c909dce6d9a6d7ee6486"},{"last_affected":"015ab81d44c1f6def12fdbb7dc8d8241bf8e3ef5"},{"last_affected":"1287b680fbde78d9289029b6a6b63a3f9e58d704"},{"last_affected":"2d1deb10cfafe25ade7f30307e13b6d0c21a5473"},{"last_affected":"47a9d8e8abf5697b4580c3ee2ade302b5c058fa6"},{"last_affected":"b7ef32c4957883ab17105fa82e6331bf48bed78a"},{"last_affected":"6e65a7f3dadcade4274ae53f734d4c35188e3786"},{"last_affected":"ef07cb031c6f8f7ac483c26fc858aad68c365fd9"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.2.0"},{"last_affected":"2.2.2"},{"last_affected":"2.2.3"},{"last_affected":"2.2.4"},{"last_affected":"2.2.6"},{"last_affected":"2.2.8"},{"last_affected":"2.2.9"},{"last_affected":"2.2.10"},{"last_affected":"2.2.11"},{"last_affected":"2.2.12"},{"last_affected":"2.2.13"},{"last_affected":"2.2.14"},{"last_affected":"2.2.15"},{"last_affected":"2.2.16"},{"last_affected":"2.2.17"},{"last_affected":"2.2.18"},{"last_affected":"2.2.19"},{"last_affected":"2.2.20"},{"last_affected":"2.2.21"},{"last_affected":"2.2.22"},{"last_affected":"2.2.23"},{"last_affected":"2.2.24"},{"last_affected":"2.2.25"},{"last_affected":"2.2.26"},{"last_affected":"2.2.27"},{"last_affected":"2.2.29"},{"last_affected":"2.2.31"},{"last_affected":"2.4.1"},{"last_affected":"2.4.2"},{"last_affected":"2.4.3"},{"last_affected":"2.4.4"},{"last_affected":"2.4.6"},{"last_affected":"2.4.7"},{"last_affected":"2.4.9"},{"last_affected":"2.4.10"},{"last_affected":"2.4.12"},{"last_affected":"2.4.16"},{"last_affected":"2.4.17"},{"last_affected":"2.4.18"},{"last_affected":"2.4.20"},{"last_affected":"2.4.23"}],"cpe":["cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.27:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.29:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.2.31:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*","cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*"],"source":"CPE_FIELD"}}],"versions":["2.2.25","2.4.23","2.4.20","2.4.18","2.4.17","2.2.31","2.4.16","2.4.12","2.2.29","2.4.10","2.2.27","2.4.9","2.4.7","2.2.26","2.4.6","2.2.24","2.4.4","2.2.23","2.4.3","2.4.2","2.4.1","2.2.22","2.2.21","2.2.20","2.2.19","2.2.18","2.2.17","2.2.16","2.2.15","2.2.14","2.2.13","2.2.12","2.2.11","2.2.10","2.2.9","2.2.8","2.2.6","2.2.4","2.2.3","2.2.2","2.2.0","2.1.10"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4975.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}