CVE-2016-5699

medium

Description

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

References

https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html

https://hg.python.org/cpython/rev/bf3e1c9b80e9

https://hg.python.org/cpython/rev/1c45047c5102

https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS

https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4

http://www.splunk.com/view/SP-CAAAPUE

http://www.splunk.com/view/SP-CAAAPSV

http://www.securityfocus.com/bid/91226

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

http://www.openwall.com/lists/oss-security/2016/06/16/2

http://www.openwall.com/lists/oss-security/2016/06/15/12

http://www.openwall.com/lists/oss-security/2016/06/14/7

http://rhn.redhat.com/errata/RHSA-2016-1630.html

http://rhn.redhat.com/errata/RHSA-2016-1629.html

http://rhn.redhat.com/errata/RHSA-2016-1628.html

http://rhn.redhat.com/errata/RHSA-2016-1627.html

http://rhn.redhat.com/errata/RHSA-2016-1626.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Details

Source: Mitre, NVD

Published: 2016-09-02

Updated: 2023-02-12

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N