CVE-2016-3166:
Drupal CRLF injection vulnerability in the drupal_set_header function
5.9
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64862%
CWE
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
drupal/core | composer | >= 6.0, < 6.38 | 6.38 |
drupal/drupal | composer | >= 6.0, < 6.38 | 6.38 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The CVE description explicitly names drupal_set_header as the vulnerable function. The vulnerability stems from improper neutralization of CRLF sequences when user-controlled data is passed to this header-setting function, particularly in older PHP environments. The function's location in includes/common.inc is standard for Drupal 6.x core functions. No other functions are mentioned in the vulnerability description as contributing to this specific CRLF injection issue.