CVE-2018-1000164

gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
VendorProductVersion
gunicorngunicorn
19.4.5
debiandebian_linux
7.0
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gunicorn
bullseye
20.1.0-1
fixed
bookworm
20.1.0-6
fixed
sid
23.0.0-1
fixed
trixie
23.0.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gunicorn
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
xenial
Fixed 19.4.5-1ubuntu1.1
released
trusty
Fixed 17.5-2ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5
https://github.com/benoitc/gunicorn/issues/1227
https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html
https://usn.ubuntu.com/4022-1/
https://www.debian.org/security/2018/dsa-4186
https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5
https://github.com/benoitc/gunicorn/issues/1227
https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html
https://usn.ubuntu.com/4022-1/
https://www.debian.org/security/2018/dsa-4186