Main Vulnerability Database Vulnerabilities #VU39189

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Google Android - CVE-2016-1155

Published: April 13, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39189

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-1155

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

HTTP header injection vulnerability in the URLConnection class in Android OS 2.2 through 6.0 allows remote attackers to execute arbitrary scripts or set arbitrary values in cookies.

How to mitigate CVE-2016-1155

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/97662
https://android.googlesource.com/platform/external/okhttp/+/71b9f47b26fb57ac3e436a19519c6e3ec70e86eb
https://jvn.jp/vu/JVNVU99757346/index.html

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Google Android - CVE-2016-1155

Detailed vulnerability description

How to mitigate CVE-2016-1155

Sources

Please verify you're human