CVE-2016-5699 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Severity

43%

Complexity

86%

Confidentiality

48%

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

CVSS 3.0 Base Score 6.1. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Demo Examples

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Overview

First reported 8 years ago

2016-09-02 14:59:00

Last updated 6 years ago

2019-02-09 11:29:00

Affected Software

Python

Python 3.0

3.0

Python 3.0.1

3.0.1

Python 3.1.0

3.1.0

Python 3.1.1

3.1.1

Python 3.1.2

3.1.2

Python 3.1.3

3.1.3

Python 3.1.4

3.1.4

Python 3.1.5

3.1.5

Python 3.2.0

3.2.0

Python 3.2.1

3.2.1

Python 3.2.2

3.2.2

Python 3.2.3

3.2.3

Python 3.2.4

3.2.4

Python 3.2.5

3.2.5

Python 3.2.6

3.2.6

Python 3.3.0

3.3.0

Python 3.3.1

3.3.1

Python 3.3.2

3.3.2

Python 3.3.3

3.3.3

Python 3.3.4

3.3.4

Python 3.3.5

3.3.5

Python 3.3.6

3.3.6

Python 3.4.0

3.4.0

Python 3.4.1

3.4.1

Python 3.4.2

3.4.2

Python 3.4.3

3.4.3

References

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

Exploit, Third Party Advisory

openSUSE-SU-2020:0086

RHSA-2016:1626

RHSA-2016:1627

RHSA-2016:1628

RHSA-2016:1629

RHSA-2016:1630

[oss-security] 20160614 CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client

Mailing List

[oss-security] 20160615 Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client

Mailing List

[oss-security] 20160616 Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client

Mailing List

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

91226

http://www.splunk.com/view/SP-CAAAPSV

http://www.splunk.com/view/SP-CAAAPUE

https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4

Release Notes

https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS

Release Notes

https://hg.python.org/cpython/rev/1c45047c5102

Patch

https://hg.python.org/cpython/rev/bf3e1c9b80e9

Patch

[debian-lts-announce] 20190207 [SECURITY] [DLA 1663-1] python3.4 security update

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.