Vulnerability Details CVE-2018-1000164
gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.013
EPSS Ranking 79.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5
- https://github.com/benoitc/gunicorn/issues/1227
- https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html
- https://usn.ubuntu.com/4022-1/
- https://www.debian.org/security/2018/dsa-4186
- https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5
- https://github.com/benoitc/gunicorn/issues/1227
- https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html
- https://usn.ubuntu.com/4022-1/
- https://www.debian.org/security/2018/dsa-4186
Products affected by CVE-2018-1000164
-
cpe:2.3:a:gunicorn:gunicorn:19.4.5
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0