PYSEC-2018-55
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/gunicorn/PYSEC-2018-55.yaml
- JSON Data
- https://api.test.osv.dev/v1/vulns/PYSEC-2018-55
- Aliases
- Published
- 2018-04-18T19:29:00Z
- Modified
- 2023-11-01T05:44:08.220410Z
- Summary
- [none]
- Details
-
gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.
- References
-
- https://github.com/benoitc/gunicorn/issues/1227
- https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5
- https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html
- https://www.debian.org/security/2018/dsa-4186
- https://usn.ubuntu.com/4022-1/
- https://github.com/advisories/GHSA-32pc-xphx-q4f6
Affected packages
PyPI / gunicorn
Package
- Name
- gunicorn
- View open source insights on deps.dev
- Purl
- pkg:pypi/gunicorn
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed19.5.0
Affected versions
0.*
0.1
0.2
0.2.1
0.3
0.3.1
0.3.2
0.4
0.4.1
0.4.2
0.5
0.5.1
0.6
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.9.0
0.9.1
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6
0.15.0
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
17.*
17.5
18.*
18.0
19.*
19.0.0
19.1.0
19.1.1
19.2.0
19.2.1
19.3.0
19.4.0
19.4.1
19.4.2
19.4.3
19.4.4
19.4.5