CVE-2016-5331

Published: Aug 8, 2016Modified: May 6, 2026

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Affected (2)

Products: Vmware: Esxi, Vcenter Server

Vmware

2 products

Esxi

Vcenter Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Vmware Esxi	Version 6.0
Vmware Vcenter Server	Up to 6.0

Related CWEs

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References (16)

http://packetstormsecurity.com/files/138211/VMware-vSphere-Hypervisor-ESXi-HTTP-Response-Injection.html

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2016/Aug/38

Source: cve@mitre.org

http://www.securityfocus.com/archive/1/539128/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/bid/92324

Source: cve@mitre.org

http://www.securitytracker.com/id/1036543

Source: cve@mitre.org

http://www.securitytracker.com/id/1036544

Source: cve@mitre.org

http://www.securitytracker.com/id/1036545

Source: cve@mitre.org

http://www.vmware.com/security/advisories/VMSA-2016-0010.html

Source: cve@mitre.org

MitigationPatchVendor Advisory

http://packetstormsecurity.com/files/138211/VMware-vSphere-Hypervisor-ESXi-HTTP-Response-Injection.html