7.5

CVE-2018-1000164

Exploit
gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GunicornGunicorn Version19.4.5
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.43% 0.821
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5
Third Party Advisory
Exploit
https://github.com/benoitc/gunicorn/issues/1227
Third Party Advisory
Exploit
Issue Tracking
https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html
Third Party Advisory
https://usn.ubuntu.com/4022-1/
https://www.debian.org/security/2018/dsa-4186
Third Party Advisory