Lucene search

GitHub Advisory DatabaseGHSA-F97H-2PFX-F59F

HistoryJul 29, 2020 - 6:07 p.m.

HTTP response splitting in uvicorn

2020-07-2918:07:20

CWE-74

GitHub Advisory Database

github.com

186

uvicorn

0.11.7

http response splitting

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

38.8%

JSON

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

Affected configurations

Vulners

Node

encodeuvicornRange<0.11.7

VendorProductVersionCPE
encodeuvicorn*cpe:2.3:a:encode:uvicorn:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
encode	uvicorn	*	cpe:2.3:a:encode:uvicorn::::::::

References

github.com/advisories/GHSA-f97h-2pfx-f59f

github.com/encode/uvicorn

nvd.nist.gov/vuln/detail/CVE-2020-7695

snyk.io/vuln/SNYK-PYTHON-UVICORN-570471

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

38.8%

JSON

Related for GHSA-F97H-2PFX-F59F