Vulnerability CVE-2020-7695


Published: 2020-07-27

Description:
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

Type:

CWE-74

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Encode -> Uvicorn 

 References:
https://github.com/encode/uvicorn
https://snyk.io/vuln/SNYK-PYTHON-UVICORN-570471

Copyright 2024, cxsecurity.com

 

Back to Top