Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cTM4LXc1Nm0tcXEyY84AAxa1
Header injection in TurboGears
A vulnerability classified as critical has been found in OnShift TurboGears 1.0.11.10. This affects an unknown part of the file turbogears/controllers.py of the component HTTP Header Handler. The manipulation leads to http response splitting. It is possible to initiate the attack remotely. Upgrading to version 1.0.11.11 is able to address this issue. The name of the patch is f68bbaba47f4474e1da553aa51564a73e1d92a84. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220059.
Permalink: https://github.com/advisories/GHSA-8q38-w56m-qq2cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cTM4LXc1Nm0tcXEyY84AAxa1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: 6 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8q38-w56m-qq2c, CVE-2019-25101
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-25101
- https://github.com/OnShift/turbogears/pull/18
- https://github.com/OnShift/turbogears/commit/f68bbaba47f4474e1da553aa51564a73e1d92a84
- https://github.com/OnShift/turbogears/releases/tag/v1.0.11.11
- https://vuldb.com/?ctiid.220059
- https://vuldb.com/?id.220059
- https://github.com/advisories/GHSA-8q38-w56m-qq2c
Blast Radius: 0.0
Affected Packages
pypi:TurboGears
Dependent packages: 0Dependent repositories: 1
Downloads: 866 last month
Affected Version Ranges: < 1.0.11.11
Fixed in: 1.0.11.11
All affected versions: 0.5.0, 0.8.8, 0.8.9
All unaffected versions: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.1.1, 1.1.2, 1.1.3, 1.5.1