1879686 – (CVE-2020-7695) CVE-2020-7695 uvicorn: crafted input leads to HTTP response splitting

Bug 1879686 (CVE-2020-7695) - CVE-2020-7695 uvicorn: crafted input leads to HTTP response splitting

Summary: CVE-2020-7695 uvicorn: crafted input leads to HTTP response splitting

Keywords:
Status:	NEW
Alias:	CVE-2020-7695
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1880967
Blocks:	1879688
TreeView+	depends on / blocked

Reported:	2020-09-16 19:17 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-07-07 08:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-09-16 19:17:40 UTC

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

References:
https://github.com/encode/uvicorn/issues/719
https://snyk.io/vuln/SNYK-PYTHON-UVICORN-570471

Comment 1 lnacshon 2020-09-21 09:48:58 UTC

Fix pushed here https://github.com/encode/uvicorn/pull/725/commits/731076ae6d9c11201442f3711488ae191253ce31

Comment 4 Carl George 🤠 2020-11-10 02:42:44 UTC

Fedora packages this as python-uvicorn, but has never shipped an affected version.  The initial import (bug 1844308) was for version 0.11.8.

Note You need to log in before you can comment on or make changes to this bug.