6.1

CVE-2016-5699

Exploit
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PythonPython Version <= 2.7.9
PythonPython Version3.0
PythonPython Version3.0.1
PythonPython Version3.1.0
PythonPython Version3.1.1
PythonPython Version3.1.2
PythonPython Version3.1.3
PythonPython Version3.1.4
PythonPython Version3.1.5
PythonPython Version3.2.0
PythonPython Version3.2.1
PythonPython Version3.2.2
PythonPython Version3.2.3
PythonPython Version3.2.4
PythonPython Version3.2.5
PythonPython Version3.2.6
PythonPython Version3.3.0
PythonPython Version3.3.1
PythonPython Version3.3.2
PythonPython Version3.3.3
PythonPython Version3.3.4
PythonPython Version3.3.5
PythonPython Version3.3.6
PythonPython Version3.4.0
PythonPython Version3.4.1
PythonPython Version3.4.2
PythonPython Version3.4.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 9.89% 0.95
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.splunk.com/view/SP-CAAAPSV
http://www.splunk.com/view/SP-CAAAPUE
http://rhn.redhat.com/errata/RHSA-2016-1626.html
http://rhn.redhat.com/errata/RHSA-2016-1627.html
http://rhn.redhat.com/errata/RHSA-2016-1628.html
http://rhn.redhat.com/errata/RHSA-2016-1629.html
http://rhn.redhat.com/errata/RHSA-2016-1630.html
https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
Third Party Advisory
Exploit
http://www.openwall.com/lists/oss-security/2016/06/14/7
Mailing List
http://www.openwall.com/lists/oss-security/2016/06/15/12
Mailing List
http://www.openwall.com/lists/oss-security/2016/06/16/2
Mailing List
http://www.securityfocus.com/bid/91226
https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4
Release Notes
https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS
Release Notes
https://hg.python.org/cpython/rev/1c45047c5102
Patch
https://hg.python.org/cpython/rev/bf3e1c9b80e9
Patch