HTTP header injection in urllib, urrlib2, httplib and http.client modules.
CRLF injection vulnerability in the HTTPConnection.putheader() function in urllib2 and urllib in CPython before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Reported again in January 2016 by Timothy D. Morgan (Blindspot Security), with a full disclosed at 2016-06-15.
Dates:
Disclosure date: 2014-11-24 (Python issue bpo-22928 reported)
Red Hat impact: Moderate
Python 2.7.10 (2015-05-23) fixed by commit 59bdf63 (branch 2.7) (2015-03-12)
Python 3.3.7 (2017-09-19) fixed by commit 8e88f6b (branch 3.3) (2017-07-26)
Python 3.4.4 (2015-12-20) fixed by commit a112a8a (branch 3.4) (2015-03-12)
Python 3.5.0 (2015-09-12) fixed by commit a112a8a (branch 3.4) (2015-03-12)
HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699).
Python issue: bpo-22928
Creation date: 2014-11-24
Reporter: Guido Vranken
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
CVE ID: CVE-2016-5699
Published: 2016-09-02
CVSS Score: 4.3
Timeline using the disclosure date 2014-11-24 as reference:
2014-11-24: Python issue bpo-22928 reported by Guido Vranken
2015-03-12 (+108 days): commit 59bdf63 (branch 2.7)
2015-03-12 (+108 days): commit a112a8a (branch 3.4)
2015-05-23 (+180 days): Python 2.7.10 released
2015-09-12: Python 3.5.0 released
2015-12-20 (+391 days): Python 3.4.4 released
2016-09-02 (+648 days): CVE-2016-5699 published
2017-07-26 (+975 days): commit 8e88f6b (branch 3.3)
2017-09-19 (+1030 days): Python 3.3.7 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4