CVE-2019-6802
published 2019-01-25CVE-2019-6802: CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.
PriorityP337medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.92%
89.0th percentile
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| python | pypiserver | <= 1.2.5 | — |
| python | pypiserver | >= 0 < 1.2.6 | 1.2.6 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CRLF Injection in pypiserver
ghsa·2019-01-30
CVE-2019-6802 [MEDIUM] CWE-74 CRLF Injection in pypiserver
CRLF Injection in pypiserver
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a `%0d%0a` in a URI.
OSV
CRLF Injection in pypiserver
osv·2019-01-30
CVE-2019-6802 [MEDIUM] CRLF Injection in pypiserver
CRLF Injection in pypiserver
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a `%0d%0a` in a URI.
OSV
CVE-2019-6802: CRLF Injection in pypiserver 1
osv·2019-01-25
CVE-2019-6802 CVE-2019-6802: CRLF Injection in pypiserver 1
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.
No detection rules found.
Nuclei
Pypiserver <1.2.5 - Carriage Return Line Feed Injection
nuclei·CVSS 6.1
CVE-2019-6802 [MEDIUM] Pypiserver <1.2.5 - Carriage Return Line Feed Injection
Pypiserver <1.2.5 - Carriage Return Line Feed Injection
Pypiserver through 1.2.5 and below is susceptible to carriage return line feed injection. An attacker can set arbitrary HTTP headers and possibly conduct cross-site scripting attacks via a %0d%0a in a URI.
Template:
id: CVE-2019-6802
info:
name: Pypiserver <1.2.5 - Carriage Return Line Feed Injection
author: 0x_Akoko
severity: medium
description: |
Pypiserver through 1.2.5 and below is susceptible to carriage return line feed injection. An attacker can set arbitrary HTTP headers and possibly conduct cross-site scripting attacks via a %0d%0a in a URI.
impact: |
Attackers can inject arbitrary HTTP headers through CRLF injection, potentially conducting cross-site scripting attacks or cache poisoning.
remediation: |
Upgrade to Pypiser
No writeups or analysis indexed.
2019-01-25
Published