CVE Vulnerabilities

CVE-2015-3154

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Jan 27, 2020 | Modified: Jan 30, 2020
CVSS 3.x
6.1
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

CRLF injection vulnerability in ZendMail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Zend_framework Zend * 1.12.12 (excluding)
Zend_framework Zend 2.3.0 (including) 2.3.8 (excluding)
Zend_framework Zend 2.4.0 (including) 2.4.1 (excluding)
Zend-framework Ubuntu esm-apps/xenial *
Zend-framework Ubuntu precise *
Zend-framework Ubuntu trusty *
Zend-framework Ubuntu upstream *
Zend-framework Ubuntu utopic *
Zend-framework Ubuntu vivid *
Zend-framework Ubuntu wily *
Zend-framework Ubuntu xenial *
Zend-framework Ubuntu yakkety *
Zendframework Ubuntu artful *
Zendframework Ubuntu upstream *
Zendframework Ubuntu zesty *

Potential Mitigations

References