CVE-2016-1900

Name of the Vulnerable Software and Affected Versions CGit versions prior to 0.12

Description The issue allows remote attackers with permission to write to a repository to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via newline characters in a filename. This is due to a CRLF injection vulnerability in the cgit print http headers function in ui-shared.c.

Recommendations For CGit versions prior to 0.12, update to version 0.12 or later to resolve the issue. As a temporary workaround, consider restricting write access to repositories to minimize the risk of exploitation. Avoid using newline characters in filenames until the issue is resolved.