CVE-2016-5699 — HTTP Request/Response Splitting in Python

CWE-113 — HTTP Request/Response Splitting CWE-20 — Improper Input Validation21 documents8 sources

Severity

6.1MEDIUMNVD

OSV6.5

EPSS

35.3%

top 2.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Python2.7 Python

Timeline

PublishedSep 2

Latest updateMay 14

Description

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶debiandebian/python2.7< python2.7 2.7.10~rc1-1 (bullseye)

▶NVDpython/python2.7.9+26

Patches

Patch: hg.python.org ↗Patch: hg.python.org ↗Patch: hg.python.org ↗

🔴Vulnerability Details

GHSA

GHSA-mfrc-633m-gcwg: CRLF injection vulnerability in the HTTPConnection↗2022-05-14

▶

OSV

python2.7, python3.2, python3.4, python3.5 vulnerabilities↗2016-11-22

▶

OSV

CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection↗2016-09-02

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2016-11-22

▶

Debian

CVE-2016-5699: python2.7 - CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2...↗2016

▶

Red Hat

python: http protocol steam injection attack↗2014-11-24

▶

💬Community

HackerOne

Additional information for CVE-2016-5699↗2019-11-12

▶

Bugzilla

CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()↗2019-04-03

▶

HackerOne

urllib HTTP header injection CVE-2016-5699↗2016-09-01

▶

Bugzilla

CVE-2016-5699 pypy: python: http protocol steam injection attack [fedora-22]↗2016-06-30

▶

Bugzilla

CVE-2016-5699 pypy3: python: http protocol steam injection attack [fedora-all]↗2016-06-30

▶