Skip to content

RVD#1493: CRLF injection vulnerability in Python before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers #1493

New issue
New issue
Open
Open
RVD#1493: CRLF injection vulnerability in Python before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers#1493
Labels
robot component: Universal Robots Controllerrobot: UR10robot: UR3robot: UR5severity: medium4.0 - 6.9vendor: Universal Robotsvulnerability
@glerapic

Description

@glerapic
glerapic
opened on Apr 3, 2020
{
    "id": 1493,
    "title": "RVD#1493: CRLF injection vulnerability in Python before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers",
    "type": "vulnerability",
    "description": "CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.",
    "cwe": "CWE-113",
    "cve": "CVE-2016-5699",
    "keywords": [
        "CRLF",
        "injection",
        "python"
    ],
    "system": "URx",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 6.2,
        "rvss-vector": "RVSS:1.0/AV:RN/AC:L/PR:N/UI:R/Y:T/S:U/C:L/I:L/A:N/H:N",
        "severity-description": "medium",
        "cvss-score": 6.1,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
    },
    "links": [
        "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5699",
        "http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html",
        "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html",
        "https://github.com/aliasrobotics/RVD/issues/1493"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "N/A",
        "architectural-location": "application-specific",
        "application": "python",
        "subsystem": "N/A",
        "package": "python2.7 2.7.3-6+deb7u2 i386",
        "languages": "python",
        "date-detected": null,
        "detected-by": "Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)",
        "detected-by-method": "N/A",
        "date-reported": "2020-04-03",
        "reported-by": "Cedric Buissart (original bug), Alias Robotics S.L.",
        "reported-by-relationship": "Security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1493",
        "reproducibility": "Always",
        "trace": "N/A",
        "reproduction": "Not available",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "The injection of arbitrary HTTP headers via CRLF sequences in a URL may be leveraged via ByHTTPConnection.putheader function on both urllib2 and urllib",
        "exploitation-image": "Not available",
        "exploitation-vector": "Not available"
    },
    "mitigation": {
        "description": "sudo apt-get --assume-yes install --only-upgrade python2.7",
        "pull-request": "https://hg.python.org/cpython/rev/1c45047c5102",
        "date-mitigation": null
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    robot component: Universal Robots Controllerrobot: UR10robot: UR3robot: UR5severity: medium4.0 - 6.9vendor: Universal Robotsvulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions