CVE-2016-1899

Name of the Vulnerable Software and Affected Versions CGit versions prior to 0.12

Description The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via CRLF sequences in the mimetype parameter. This is demonstrated by a request to "blob/cgit.c", which exploits the vulnerability in the ui-blob handler.

Recommendations For versions prior to 0.12, update to version 0.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the ui-blob handler or avoiding the use of the mimetype parameter in requests to "blob/cgit.c" until the issue is resolved.