Is CVE-2016-4975 known to be exploited?

32 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Http Server

CVE-2016-4975

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header…

EPSS: 0.733 (98.8th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Http Server — versions Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23), Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31)

Public proof-of-concept exploits

References

httpd.apache.org/security/vulnerabilities_22.html (x_refsource_CONFIRM)
security.netapp.com/advisory/ntap-20180926-0006/ (x_refsource_CONFIRM)
support.hpe.com/hpsc/doc/public/display (x_refsource_CONFIRM)
105093 (vdb-entry, x_refsource_BID)
httpd.apache.org/security/vulnerabilities_24.html (x_refsource_CONFIRM)
[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2016-4975?: CVE-2016-4975 is a vulnerability in Apache Software Foundation Http Server. Published 2018-08-14.
Is CVE-2016-4975 known to be exploited?: 32 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.