Vulnerability Description
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | <= 2.7.9 |
Related Weaknesses (CWE)
References
- http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.htmlExploitThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://rhn.redhat.com/errata/RHSA-2016-1626.html
- http://rhn.redhat.com/errata/RHSA-2016-1627.html
- http://rhn.redhat.com/errata/RHSA-2016-1628.html
- http://rhn.redhat.com/errata/RHSA-2016-1629.html
- http://rhn.redhat.com/errata/RHSA-2016-1630.html
- http://www.openwall.com/lists/oss-security/2016/06/14/7Mailing List
- http://www.openwall.com/lists/oss-security/2016/06/15/12Mailing List
- http://www.openwall.com/lists/oss-security/2016/06/16/2Mailing List
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91226
- http://www.splunk.com/view/SP-CAAAPSV
- http://www.splunk.com/view/SP-CAAAPUE
- https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4Release Notes
FAQ
What is CVE-2016-5699?
CVE-2016-5699 is a vulnerability with a CVSS score of 6.1 (MEDIUM). CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP ...
How severe is CVE-2016-5699?
CVE-2016-5699 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-5699?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python.