UBUNTU-CVE-2016-2216
- Source
- https://ubuntu.com/security/CVE-2016-2216
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2016/UBUNTU-CVE-2016-2216.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2016-2216
- Upstream
- Published
- 2016-04-07T21:59:00Z
- Modified
- 2025-07-16T08:18:59.989963Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Ubuntu - low
- Summary
- [none]
- Details
-
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
- References
Affected packages
Ubuntu:Pro:14.04:LTS / nodejs
Package
- Name
- nodejs
- Purl
- pkg:deb/ubuntu/nodejs@0.10.25~dfsg2-2ubuntu1.2+esm2?arch=source&distro=esm-infra-legacy/trusty
Ubuntu:Pro:16.04:LTS / nodejs
Package
- Name
- nodejs
- Purl
- pkg:deb/ubuntu/nodejs@4.2.6~dfsg-1ubuntu4.2+esm3?arch=source&distro=esm-apps/xenial
Ubuntu:18.04:LTS / nodejs
Package
- Name
- nodejs
- Purl
- pkg:deb/ubuntu/nodejs@8.10.0~dfsg-2?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.10.0~dfsg-2
Affected versions
6.*
6.11.4~dfsg-1ubuntu1
6.11.4~dfsg-1ubuntu2
6.12.0~dfsg-1ubuntu1
6.12.0~dfsg-2ubuntu1
6.12.0~dfsg-2ubuntu2
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "nodejs",
"binary_version": "8.10.0~dfsg-2"
},
{
"binary_name": "nodejs-dbgsym",
"binary_version": "8.10.0~dfsg-2"
},
{
"binary_name": "nodejs-dev",
"binary_version": "8.10.0~dfsg-2"
},
{
"binary_name": "nodejs-doc",
"binary_version": "8.10.0~dfsg-2"
}
]
}