CVE-2016-5699

high-risk
Published 2016-09-02

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

Do I need to act?

!
35.3% chance of exploitation in next 30 days
EPSS score — higher than 65% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Python

References (38)

Exploit http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
http://rhn.redhat.com/errata/RHSA-2016-1626.html
http://rhn.redhat.com/errata/RHSA-2016-1627.html
http://rhn.redhat.com/errata/RHSA-2016-1628.html
http://rhn.redhat.com/errata/RHSA-2016-1629.html
http://rhn.redhat.com/errata/RHSA-2016-1630.html
Mailing List http://www.openwall.com/lists/oss-security/2016/06/14/7
Mailing List http://www.openwall.com/lists/oss-security/2016/06/15/12
Mailing List http://www.openwall.com/lists/oss-security/2016/06/16/2
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.securityfocus.com/bid/91226
http://www.splunk.com/view/SP-CAAAPSV
http://www.splunk.com/view/SP-CAAAPUE
Release Notes https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4
Release Notes https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS
Patch https://hg.python.org/cpython/rev/1c45047c5102
Patch https://hg.python.org/cpython/rev/bf3e1c9b80e9
https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
Exploit http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
and 18 more references
61
/ 100
high-risk
Severity 23/34 · High
Exploitability 16/34 · Moderate
Exposure 22/34 · High