Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTMycGMteHBoeC1xNGY2

Gunicorn contains Improper Neutralization of CRLF sequences in HTTP headers

gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.

Permalink: https://github.com/advisories/GHSA-32pc-xphx-q4f6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTMycGMteHBoeC1xNGY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: 3 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00491
EPSS Percentile: 0.76502

Identifiers: GHSA-32pc-xphx-q4f6, CVE-2018-1000164
References: Repository: https://github.com/benoitc/gunicorn
Blast Radius: 40.8

Affected Packages

pypi:gunicorn
Dependent packages: 771
Dependent repositories: 277,527
Downloads: 67,947,935 last month
Affected Version Ranges: < 19.5.0
Fixed in: 19.5.0
All affected versions: 0.2.1, 0.3.1, 0.3.2, 0.4.1, 0.4.2, 0.5.1, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 19.0.0, 19.1.0, 19.1.1, 19.2.0, 19.2.1, 19.3.0, 19.4.0, 19.4.1, 19.4.2, 19.4.3, 19.4.4, 19.4.5
All unaffected versions: 19.5.0, 19.6.0, 19.7.0, 19.7.1, 19.8.0, 19.8.1, 19.9.0, 19.10.0, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.1.0, 21.0.0, 21.0.1, 21.1.0, 21.2.0, 22.0.0, 23.0.0