CVE-2020-7695 – uvicorn

Package

Manager: pip
Name: uvicorn
Vulnerable Version: >=0 <0.11.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.003 pctl0.52807

Details

HTTP response splitting in uvicorn Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

Metadata

Created: 2020-07-29T18:07:20Z
Modified: 2024-11-18T22:31:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-f97h-2pfx-f59f/GHSA-f97h-2pfx-f59f.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-f97h-2pfx-f59f
Finding: F184
Auto approve: 1