Bug 1879686 (CVE-2020-7695)

Summary: CVE-2020-7695 uvicorn: crafted input leads to HTTP response splitting
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carl, python-sig
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1880967    
Bug Blocks: 1879688    

Description Guilherme de Almeida Suckevicz 2020-09-16 19:17:40 UTC 
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

References:
https://github.com/encode/uvicorn/issues/719
https://snyk.io/vuln/SNYK-PYTHON-UVICORN-570471
Comment 1 lnacshon 2020-09-21 09:48:58 UTC 
Fix pushed here https://github.com/encode/uvicorn/pull/725/commits/731076ae6d9c11201442f3711488ae191253ce31
Comment 4 Carl George 🤠 2020-11-10 02:42:44 UTC 
Fedora packages this as python-uvicorn, but has never shipped an affected version.  The initial import (bug 1844308) was for version 0.11.8.