HTTP header injection

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

HTTP header injection in urllib, urrlib2, httplib and http.client modules.

CRLF injection vulnerability in the HTTPConnection.putheader() function in urllib2 and urllib in CPython before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

Reported again in January 2016 by Timothy D. Morgan (Blindspot Security), with a full disclosed at 2016-06-15.

Dates:

  • Disclosure date: 2014-11-24 (Python issue bpo-22928 reported)
  • Red Hat impact: Moderate

Fixed In

Python issue

HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).

  • Python issue: bpo-22928
  • Creation date: 2014-11-24
  • Reporter: Guido Vranken

CVE-2016-5699

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

Timeline

Timeline using the disclosure date 2014-11-24 as reference: