Vulnerability Name:

CVE-2002-1405 (CCN-9887)

Assigned:2002-08-18
Published:2002-08-18
Updated:2016-10-18
Summary:CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote attackers to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Bypass Security
References:Source: CALDERA
Type: UNKNOWN
CSSA-2002-049.0

Source: CCN
Type: SCO Security Advisory CSSA-2002-049.0
Linux: lynx CRLF injection vulnerability

Source: CCN
Type: BugTraq Mailing List, Thu Aug 22 2002 - 12:32:59 CDT
Lynx CRLF Injection, part two

Source: CCN
Type: VulnWatch Mailing List, Sun Aug 18 2002 - 19:17:04 CDT
Lynx CRLF Injection

Source: MITRE
Type: CNA
CVE-2002-1405

Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2003:720
lynx

Source: CCN
Type: Lynx Web site
Lynx Information

Source: BUGTRAQ
Type: UNKNOWN
20020819 Lynx CRLF Injection

Source: BUGTRAQ
Type: UNKNOWN
20020822 Lynx CRLF Injection, part two

Source: CCN
Type: RHSA-2003-029
Updated lynx packages fix CRLF injection vulnerability

Source: CCN
Type: RHSA-2003-030
lynx security update

Source: CCN
Type: Sun Alert ID: 55940
Sun Linux 5.0 CRLF Injection Vulnerability in Lynx 2.8.4 and Earlier

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-210

Source: DEBIAN
Type: DSA-210
lynx -- CRLF injection

Source: XF
Type: Patch, Vendor Advisory
lynx-crlf-injection(9887)

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2003:023

Source: CCN
Type: OpenPKG-SA-2003.011
Lynx

Source: REDHAT
Type: UNKNOWN
RHSA-2003:029

Source: REDHAT
Type: UNKNOWN
RHSA-2003:030

Source: BID
Type: UNKNOWN
5499

Source: CCN
Type: BID-5499
Lynx Command Line URL CRLF Injection Vulnerability

Source: CCN
Type: BID-550
Allaire ColdFusion Undocumented CFML Tags Vulnerability

Source: TRUSTIX
Type: UNKNOWN
2002-0085

Source: XF
Type: UNKNOWN
lynx-crlf-injection(9887)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:elinks:elinks:0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:elinks:elinks:0.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:links:links:0.96:*:*:*:*:*:*:*
  • OR cpe:/a:university_of_kansas:lynx:2.8.2_rel1:*:*:*:*:*:*:*
  • OR cpe:/a:university_of_kansas:lynx:2.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:university_of_kansas:lynx:2.8.3_rel1:*:*:*:*:*:*:*
  • OR cpe:/a:university_of_kansas:lynx:2.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:university_of_kansas:lynx:2.8.4_rel1:*:*:*:*:*:*:*
  • OR cpe:/a:university_of_kansas:lynx:2.8.5_dev8:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:lynx:lynx:2.8.5:dev.5:*:*:*:*:*:*
  • OR cpe:/a:lynx:lynx:2.8.4:rel.1:*:*:*:*:*:*
  • OR cpe:/a:lynx:lynx:2.8.2:rel.1:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux:6.2:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:2.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:mandrakesoft:mandrake_single_network_firewall:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:current:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:1.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:8.2:*:*:*:*:*:*:*
  • OR cpe:/a:sun:linux:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:1.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:pseries:*
  • OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:iseries:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.0:*:ppc:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:ia64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:ppc:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.debian:def:210
    V
    		CRLF injection
    2002-12-13
    BACK
    elinks elinks 0.2.4
    elinks elinks 0.3.2
    links links 0.96
    university_of_kansas lynx 2.8.2_rel1
    university_of_kansas lynx 2.8.3
    university_of_kansas lynx 2.8.3_rel1
    university_of_kansas lynx 2.8.4
    university_of_kansas lynx 2.8.4_rel1
    university_of_kansas lynx 2.8.5_dev8
    lynx lynx 2.8.5 dev.5
    lynx lynx 2.8.4 rel.1
    lynx lynx 2.8.2 rel.1
    redhat linux 6.2
    debian debian linux 2.2
    redhat linux 7
    mandrakesoft mandrake linux 7.2
    redhat linux 7.1
    mandrakesoft mandrake linux 8.0
    mandrakesoft mandrake single network firewall 7.2
    conectiva linux 7.0
    mandrakesoft mandrake linux 8.1
    redhat linux 7.2
    mandrakesoft mandrake linux 8.2
    conectiva linux 8.0
    redhat linux 7.3
    debian debian linux 3.0
    openpkg openpkg current
    redhat linux 8.0
    openpkg openpkg 1.1
    mandrakesoft mandrake linux 9.0
    mandrakesoft mandrake multi network firewall 8.2
    sun linux 5.0
    openpkg openpkg 1.2
    redhat enterprise linux 2.1
    redhat linux advanced workstation 2.1
    redhat linux 7.1
    redhat linux 7.1
    mandrakesoft mandrake linux 8.0
    mandrakesoft mandrake linux 8.1
    mandrakesoft mandrake linux 8.2