VAR-201604-0426
Vulnerability from variot - Updated: 2025-04-13 23:27CRLF injection vulnerability in CA API Gateway (formerly Layer7 API Gateway) 7.1 before 7.1.04, 8.0 through 8.3 before 8.3.01, and 8.4 before 8.4.01 allows remote attackers to have an unspecified impact via unknown vectors. Supplementary information : CWE Vulnerability type by CWE-93: Improper Neutralization of CRLF Sequences (CRLF injection ) Has been identified. http://cwe.mitre.org/data/definitions/93.htmlA third party may be affected unspecified. An attacker can exploit this issue to add arbitrary headers to a webpage. This may aid in further attacks. CA has fixes available. Update to the fix version indicated below. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE----- Charset: utf-8
wsFVAwUBVwQ4wDuotw2cX+zOAQqaNg//Q3UFXyWWwTCUWubjAJD9XKmwmQ94mN1z Z8nZlDZoAvS72F0PM9IxPs4Y135Gxw6D9mbyOjDKcF1uPaZCCAHyAjsYf+wkwLyq l8ILYq1FPchY6lbwH+nx8U+XHRG0/g+mgGjBa4jDNhItGFVidxFFm1CjPHQkbONq xifyNhkys81InM115ikkhmXEE7CORRwmrtC+kHu/vnZpHO1yw9uUQNn4M41hmW2d 3fJt9D6m5mroBa9qN4Z6Q2GrOY7yRM54mETcEa6mDvh9jtRxhIuXVVmWBG0tI0fG 9+ul46MbNb1oSUQilrrDqlZOfnUvAPhvB2nCwnnO14cuI9pgslomVsXb6L1Td7XR to6lA60Q75GxPJRC8g0OPnq5OSW1WtUf7hnq+jJh0WFHN/zoacKPZiiPilsy9xCq rV4nMEm/MAZeF8nNljn434Z6HugoPcilkjmyk4aZPsZXq43xxO2flsedEubYH8dC 6qc6tkyyAQXXuwazf7cWk+jlCafjXDqSYz70KMRhyWCqMvNXWnlHfyc4TLWxUtU1 3C9YeLsp20RS6TSDTDCpZJMZyhIRN/icg7WA/Sjoh+spV6dZ9JTCB+oXpB7wP+8V t7kcF9hW+Dh/II1OUMN/PXvH72G4M1NyaPuBhFyVsdYU97uwfVGSPBqG2NqMkBlL yBbzOtDOq6s= =rWD3 -----END PGP SIGNATURE-----
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "8.3"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "8.2"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "7.1"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "8.0"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "8.4"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": "8.1"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "8.0 from 8.3.01"
},
{
"_id": null,
"model": "api gateway",
"scope": "lt",
"trust": 0.8,
"vendor": "ca",
"version": "8.3"
},
{
"_id": null,
"model": "api gateway",
"scope": "lt",
"trust": 0.8,
"vendor": "ca",
"version": "8.4"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "8.4.01"
},
{
"_id": null,
"model": "api gateway",
"scope": "lt",
"trust": 0.8,
"vendor": "ca",
"version": "7.1"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.8,
"vendor": "ca",
"version": "7.1.04"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "ca",
"version": "8.2"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "ca",
"version": "7.1"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "ca",
"version": "8.3"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "ca",
"version": "8.1"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "ca",
"version": "8.0"
},
{
"_id": null,
"model": "api gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "ca",
"version": "8.4"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034"
},
{
"db": "NVD",
"id": "CVE-2016-3118"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:ca:api_gateway",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
}
]
},
"credits": {
"_id": null,
"data": "Patrick Webster of OSI Security",
"sources": [
{
"db": "BID",
"id": "85867"
}
],
"trust": 0.3
},
"cve": "CVE-2016-3118",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2016-3118",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-91937",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 3.9,
"id": "CVE-2016-3118",
"impactScore": 2.5,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Physical",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-3118",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2016-3118",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2016-3118",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201604-034",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-91937",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-91937"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034"
},
{
"db": "NVD",
"id": "CVE-2016-3118"
}
]
},
"description": {
"_id": null,
"data": "CRLF injection vulnerability in CA API Gateway (formerly Layer7 API Gateway) 7.1 before 7.1.04, 8.0 through 8.3 before 8.3.01, and 8.4 before 8.4.01 allows remote attackers to have an unspecified impact via unknown vectors. Supplementary information : CWE Vulnerability type by CWE-93: Improper Neutralization of CRLF Sequences (CRLF injection ) Has been identified. http://cwe.mitre.org/data/definitions/93.htmlA third party may be affected unspecified. \nAn attacker can exploit this issue to add arbitrary headers to a webpage. This may aid in further attacks. CA has fixes\navailable. Update to the fix version indicated below. All Rights Reserved. One CA Plaza, Islandia,\nN.Y. 11749. All other trademarks, trade names, service marks, and\nlogos referenced herein belong to their respective companies. \n\n-----BEGIN PGP SIGNATURE-----\nCharset: utf-8\n\nwsFVAwUBVwQ4wDuotw2cX+zOAQqaNg//Q3UFXyWWwTCUWubjAJD9XKmwmQ94mN1z\nZ8nZlDZoAvS72F0PM9IxPs4Y135Gxw6D9mbyOjDKcF1uPaZCCAHyAjsYf+wkwLyq\nl8ILYq1FPchY6lbwH+nx8U+XHRG0/g+mgGjBa4jDNhItGFVidxFFm1CjPHQkbONq\nxifyNhkys81InM115ikkhmXEE7CORRwmrtC+kHu/vnZpHO1yw9uUQNn4M41hmW2d\n3fJt9D6m5mroBa9qN4Z6Q2GrOY7yRM54mETcEa6mDvh9jtRxhIuXVVmWBG0tI0fG\n9+ul46MbNb1oSUQilrrDqlZOfnUvAPhvB2nCwnnO14cuI9pgslomVsXb6L1Td7XR\nto6lA60Q75GxPJRC8g0OPnq5OSW1WtUf7hnq+jJh0WFHN/zoacKPZiiPilsy9xCq\nrV4nMEm/MAZeF8nNljn434Z6HugoPcilkjmyk4aZPsZXq43xxO2flsedEubYH8dC\n6qc6tkyyAQXXuwazf7cWk+jlCafjXDqSYz70KMRhyWCqMvNXWnlHfyc4TLWxUtU1\n3C9YeLsp20RS6TSDTDCpZJMZyhIRN/icg7WA/Sjoh+spV6dZ9JTCB+oXpB7wP+8V\nt7kcF9hW+Dh/II1OUMN/PXvH72G4M1NyaPuBhFyVsdYU97uwfVGSPBqG2NqMkBlL\nyBbzOtDOq6s=\n=rWD3\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-3118"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
},
{
"db": "BID",
"id": "85867"
},
{
"db": "VULHUB",
"id": "VHN-91937"
},
{
"db": "PACKETSTORM",
"id": "136592"
}
],
"trust": 2.07
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2016-3118",
"trust": 2.9
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001938",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034",
"trust": 0.7
},
{
"db": "BID",
"id": "85867",
"trust": 0.4
},
{
"db": "PACKETSTORM",
"id": "136592",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-91937",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-91937"
},
{
"db": "BID",
"id": "85867"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
},
{
"db": "PACKETSTORM",
"id": "136592"
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034"
},
{
"db": "NVD",
"id": "CVE-2016-3118"
}
]
},
"id": "VAR-201604-0426",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-91937"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-13T23:27:26.045000Z",
"patch": {
"_id": null,
"data": [
{
"title": "CA20160405-01: Security Notice for CA API Gateway",
"trust": 0.8,
"url": "http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20160405-01-security-notice-for-ca-api-gateway.aspx"
},
{
"title": "CA API Gateway CRLF Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60769"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
},
{
"db": "NVD",
"id": "CVE-2016-3118"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.7,
"url": "http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20160405-01-security-notice-for-ca-api-gateway.aspx"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3118"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-3118"
},
{
"trust": 0.1,
"url": "https://support.ca.com/"
},
{
"trust": 0.1,
"url": "https://support.ca.com/irj/portal/anonymous/phpsbpldgpg"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-3118"
},
{
"trust": 0.1,
"url": "https://www.ca.com/us/support/ca-support-online/documents.aspx?id=177782"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-91937"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
},
{
"db": "PACKETSTORM",
"id": "136592"
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034"
},
{
"db": "NVD",
"id": "CVE-2016-3118"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-91937",
"ident": null
},
{
"db": "BID",
"id": "85867",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001938",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "136592",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2016-3118",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2016-04-06T00:00:00",
"db": "VULHUB",
"id": "VHN-91937",
"ident": null
},
{
"date": "2016-04-05T00:00:00",
"db": "BID",
"id": "85867",
"ident": null
},
{
"date": "2016-04-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001938",
"ident": null
},
{
"date": "2016-04-06T13:39:41",
"db": "PACKETSTORM",
"id": "136592",
"ident": null
},
{
"date": "2016-04-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201604-034",
"ident": null
},
{
"date": "2016-04-06T01:59:28.840000",
"db": "NVD",
"id": "CVE-2016-3118",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2016-04-07T00:00:00",
"db": "VULHUB",
"id": "VHN-91937",
"ident": null
},
{
"date": "2016-04-05T00:00:00",
"db": "BID",
"id": "85867",
"ident": null
},
{
"date": "2016-04-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001938",
"ident": null
},
{
"date": "2021-04-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201604-034",
"ident": null
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2016-3118",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "136592"
},
{
"db": "CNNVD",
"id": "CNNVD-201604-034"
}
],
"trust": 0.7
},
"title": {
"_id": null,
"data": "CA API Gateway In CRLF Injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-001938"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201604-034"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…