HTTP header injection¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
HTTP header injection in urllib
, urrlib2
, httplib
and
http.client
modules.
CRLF injection vulnerability in the HTTPConnection.putheader()
function
in urllib2
and urllib
in CPython before 2.7.10 and 3.x before 3.4.4
allows remote attackers to inject arbitrary HTTP headers via CRLF sequences
in a URL.
Reported again in January 2016 by Timothy D. Morgan (Blindspot Security), with a full disclosed at 2016-06-15.
Dates:
- Disclosure date: 2014-11-24 (Python issue bpo-22928 reported)
- Red Hat impact: Moderate
Fixed In¶
- Python 2.7.10 (2015-05-23) fixed by commit 59bdf63 (branch 2.7) (2015-03-12)
- Python 3.3.7 (2017-09-19) fixed by commit 8e88f6b (branch 3.3) (2017-07-26)
- Python 3.4.4 (2015-12-20) fixed by commit a112a8a (branch 3.4) (2015-03-12)
- Python 3.5.0 (2015-09-12) fixed by commit a112a8a (branch 3.4) (2015-03-12)
Python issue¶
HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).
- Python issue: bpo-22928
- Creation date: 2014-11-24
- Reporter: Guido Vranken
CVE-2016-5699¶
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
- CVE ID: CVE-2016-5699
- Published: 2016-09-02
- CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2014-11-24 as reference:
- 2014-11-24: Python issue bpo-22928 reported by Guido Vranken
- 2015-03-12 (+108 days): commit 59bdf63 (branch 2.7)
- 2015-03-12 (+108 days): commit a112a8a (branch 3.4)
- 2015-05-23 (+180 days): Python 2.7.10 released
- 2015-09-12: Python 3.5.0 released
- 2015-12-20 (+391 days): Python 3.4.4 released
- 2016-09-02 (+648 days): CVE-2016-5699 published
- 2017-07-26 (+975 days): commit 8e88f6b (branch 3.3)
- 2017-09-19 (+1030 days): Python 3.3.7 released