{
  "threat_severity" : "Low",
  "public_date" : "2016-06-13T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: reason argument in ServerResponse#writeHead() not properly validated",
    "id" : "1346910",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1346910"
  },
  "cvss" : {
    "cvss_base_score" : "4.0",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "details" : [ "CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.", "It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.2",
    "release_date" : "2016-10-27T00:00:00Z",
    "advisory" : "RHSA-2016:2101",
    "cpe" : "cpe:/a:redhat:openshift:3.2::el7",
    "package" : "nodejs-0:0.10.47-2.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.2",
    "release_date" : "2016-10-27T00:00:00Z",
    "advisory" : "RHSA-2016:2101",
    "cpe" : "cpe:/a:redhat:openshift:3.2::el7",
    "package" : "nodejs-tough-cookie-0:2.3.1-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.3",
    "release_date" : "2016-10-27T00:00:00Z",
    "advisory" : "RHSA-2016:2101",
    "cpe" : "cpe:/a:redhat:openshift:3.3::el7",
    "package" : "nodejs-0:0.10.47-2.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.3",
    "release_date" : "2016-10-27T00:00:00Z",
    "advisory" : "RHSA-2016:2101",
    "cpe" : "cpe:/a:redhat:openshift:3.3::el7",
    "package" : "nodejs-tough-cookie-0:2.3.1-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3.1",
    "release_date" : "2016-10-27T00:00:00Z",
    "advisory" : "RHSA-2016:2101",
    "cpe" : "cpe:/a:redhat:openshift:3.1::el7",
    "package" : "nodejs-0:0.10.47-2.el7"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3.1",
    "release_date" : "2016-10-27T00:00:00Z",
    "advisory" : "RHSA-2016:2101",
    "cpe" : "cpe:/a:redhat:openshift:3.1::el7",
    "package" : "nodejs-tough-cookie-0:2.3.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs010-nodejs",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs010-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-5325\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5325\nhttps://nodejs.org/en/blog/vulnerability/september-2016-security-releases/" ],
  "name" : "CVE-2016-5325",
  "csaw" : false
}