Search

Find a vulnerability

Search criteria

    Related vulnerabilities

    PYSEC-2020-151

    Vulnerability from pysec - Published: 2020-07-27 12:15 - Updated: 2020-07-29 19:15
    VLAI
    Details

    Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

    Impacted products
    Name purl
    uvicorn pkg:pypi/uvicorn

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "uvicorn",
            "purl": "pkg:pypi/uvicorn"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "0.11.7"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.0.1",
            "0.0.2",
            "0.0.3",
            "0.0.4",
            "0.0.5",
            "0.0.6",
            "0.0.7",
            "0.0.8",
            "0.0.9",
            "0.0.10",
            "0.0.11",
            "0.0.12",
            "0.0.13",
            "0.0.14",
            "0.0.15",
            "0.1.0",
            "0.1.1",
            "0.2.0",
            "0.2.1",
            "0.2.2",
            "0.2.3",
            "0.2.4",
            "0.2.5",
            "0.2.6",
            "0.2.7",
            "0.2.8",
            "0.2.9",
            "0.2.10",
            "0.2.11",
            "0.2.12",
            "0.2.13",
            "0.2.14",
            "0.2.15",
            "0.2.16",
            "0.2.17",
            "0.2.18",
            "0.2.19",
            "0.2.20",
            "0.2.21",
            "0.2.22",
            "0.3.0",
            "0.3.1",
            "0.3.2",
            "0.3.3",
            "0.3.4",
            "0.3.5",
            "0.3.6",
            "0.3.7",
            "0.3.8",
            "0.3.9",
            "0.3.10",
            "0.3.11",
            "0.3.12",
            "0.3.13",
            "0.3.14",
            "0.3.15",
            "0.3.16",
            "0.3.17",
            "0.3.18",
            "0.3.19",
            "0.3.20",
            "0.3.21",
            "0.3.22",
            "0.3.23",
            "0.3.24",
            "0.3.25",
            "0.3.26",
            "0.3.27",
            "0.3.28",
            "0.3.29",
            "0.3.30",
            "0.3.31",
            "0.3.32",
            "0.4.0",
            "0.4.1",
            "0.4.2",
            "0.4.3",
            "0.4.4",
            "0.4.5",
            "0.4.6",
            "0.5.0",
            "0.5.1",
            "0.5.2",
            "0.6.0",
            "0.6.1",
            "0.7.0b1",
            "0.7.0b2",
            "0.7.0",
            "0.7.1",
            "0.7.2",
            "0.7.3",
            "0.8.0",
            "0.8.1",
            "0.8.2",
            "0.8.3",
            "0.8.4",
            "0.8.5",
            "0.8.6",
            "0.9.0",
            "0.9.1",
            "0.10.0",
            "0.10.1",
            "0.10.2",
            "0.10.3",
            "0.10.4",
            "0.10.5",
            "0.10.6",
            "0.10.7",
            "0.10.8",
            "0.10.9",
            "0.11.0",
            "0.11.1",
            "0.11.2",
            "0.11.3",
            "0.11.4",
            "0.11.5",
            "0.11.6"
          ]
        }
      ],
      "aliases": [
        "CVE-2020-7695",
        "SNYK-PYTHON-UVICORN-570471",
        "GHSA-f97h-2pfx-f59f"
      ],
      "details": "Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.",
      "id": "PYSEC-2020-151",
      "modified": "2020-07-29T19:15:00Z",
      "published": "2020-07-27T12:15:00Z",
      "references": [
        {
          "type": "ADVISORY",
          "url": "https://snyk.io/vuln/SNYK-PYTHON-UVICORN-570471"
        },
        {
          "type": "WEB",
          "url": "https://github.com/encode/uvicorn"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/advisories/GHSA-f97h-2pfx-f59f"
        }
      ]
    }