CRLF Injection Vulnerability in Microsoft Internet Information Services
CVE-2011-5279

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 23 April 2014

Summary

A CRLF injection vulnerability exists in the CGI implementation of Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000. This flaw allows remote attackers to exploit HTTP headers by injecting newline characters, enabling them to modify arbitrary uppercase environment variables. Such manipulation can lead to further exploitation and unauthorized access, highlighting the importance of securing web applications against injection-based attacks.

References

http://seclists.org/fulldisclosure/2014/Apr/247

mailing-listx_refsource_FULLDISC

http://seclists.org/fulldisclosure/2014/Apr/128

mailing-listx_refsource_FULLDISC

http://seclists.org/fulldisclosure/2012/Apr/0

mailing-listx_refsource_FULLDISC

EPSS Score

8% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Apr 23, 2014
Vulnerability Reserved
Apr 23, 2014