Google Android CVE-2016-1155 HTTP Header Injection Vulnerability

Google Android are prone to an HTTP header-injection vulnerability because it fails to sufficiently sanitize user input.

A successful attack may allow attackers to insert a crafted HTTP header into an HTTP response that could cause a web page redirection to a possible malicious website; this may aid in launching further attacks.

Google Android 2.2 is vulnerable.

Information

Bugtraq ID: 97662
Class: Input Validation Error
CVE: CVE-2016-1155

Remote: Yes
Local: No
Published: Apr 13 2017 12:00AM
Updated: Apr 13 2017 12:00AM
Credit: Cisco.
Vulnerable: Google Android 5.1.1
Google Android 5.0.2
Google Android 5.0.1
Google Android 4.4.4
Google Android 4.4.3
Google Android 4.4.2
Google Android 4.4.1
Google Android 4.3.1
Google Android 4.2.2
Google Android 4.2.1
Google Android 4.1.2
Google Android 4.1.1
Google Android 4.0.4
Google Android 4.0.3
Google Android 4.0.2
Google Android 4.0.1
Google Android 3.2.6
Google Android 3.2.4
Google Android 3.2.2
Google Android 3.2.1
Google Android 2.3.6
Google Android 2.3.5
Google Android 2.2.3
Google Android 6.0
Google Android 5.1
Google Android 5.0
Google Android 4.6
Google Android 4.4W.2
Google Android 4.4W.1
Google Android 4.4W
Google Android 4.4_r1.1 tag
Google Android 4.4
Google Android 4.3
Google Android 4.2
Google Android 4.1.2_r1
Google Android 4.1
Google Android 4.0
Google Android 3.2
Google Android 3.1
Google Android 3.0
Google Android 2.3.4
Google Android 2.3.3
Google Android 2.3.2
Google Android 2.3.1
Google Android 2.3
Google Android 2.2.2

Not Vulnerable:

References:

• Android Homepage (Google)
  
• JVNVU # 99757346 Android Platform URLConnection class HTTP header injection vul (JPCERT)
  
• Pull latest code from upstream okhttp and okio (GoogleSource)
  

Source: www.securityfocus.com