CVE-2016-5699: HTTP header injection¶
HTTP header injection in
CRLF injection vulnerability in the
urllib in CPython before 2.7.10 and 3.x before 3.4.4
allows remote attackers to inject arbitrary HTTP headers via CRLF sequences
in a URL.
Reported again in January 2016 by Timothy D. Morgan (Blindspot Security), with a full disclosed at 2016-06-15.
- Disclosure date: 2014-11-24 (Python issue bpo-22928 reported)
- Red Hat impact: Moderate
HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).
- Python issue: bpo-22928
- Creation date: 2014-11-24
- Reporter: Guido Vranken
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Timeline using the disclosure date 2014-11-24 as reference:
- 2014-11-24: Python issue bpo-22928 reported by Guido Vranken
- 2015-03-12 (+108 days): commit 59bdf63
- 2015-03-12 (+108 days): commit a112a8a
- 2015-05-23 (+180 days): Python 2.7.10 released
- 2015-09-09: Python 3.5.0 released
- 2015-12-21 (+392 days): Python 3.4.4 released
- 2016-09-02 (+648 days): CVE-2016-5699 published
- 2017-07-26 (+975 days): commit 8e88f6b
- 2017-09-19 (+1030 days): Python 3.3.7 released