Vulnerability Details : CVE-2016-5699
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Products affected by CVE-2016-5699
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4.3:*:*:*:*:*:*:*
Threat overview for CVE-2016-5699
Top countries where our scanners detected CVE-2016-5699
Top open port discovered on systems with this issue
8123
IPs affected by CVE-2016-5699 134,271
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-5699!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-5699
0.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-5699
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2016-5699
-
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5699
-
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Oracle Solaris Bulletin - July 2016
-
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
Blindspot SecurityExploit;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1627.html
RHSA-2016:1627 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-1630.html
RHSA-2016:1630 - Security Advisory - Red Hat Customer Portal
-
https://hg.python.org/cpython/rev/1c45047c5102
cpython: 1c45047c5102Patch
-
http://www.openwall.com/lists/oss-security/2016/06/14/7
oss-security - CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.clientMailing List
-
https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4
Changelog — Python 3.4.10 documentationRelease Notes
-
https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
[SECURITY] [DLA 1663-1] python3.4 security update
-
http://rhn.redhat.com/errata/RHSA-2016-1629.html
RHSA-2016:1629 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
[security-announce] openSUSE-SU-2020:0086-1: important: Security update
-
http://rhn.redhat.com/errata/RHSA-2016-1628.html
RHSA-2016:1628 - Security Advisory - Red Hat Customer Portal
-
http://www.splunk.com/view/SP-CAAAPUE
Splunk Enterprise 6.4.5 addresses multiple vulnerabilities | Splunk
-
https://hg.python.org/cpython/rev/bf3e1c9b80e9
cpython: bf3e1c9b80e9Patch
-
http://www.openwall.com/lists/oss-security/2016/06/16/2
oss-security - Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.clientMailing List
-
http://www.openwall.com/lists/oss-security/2016/06/15/12
oss-security - Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.clientMailing List
-
https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS
Release Notes
-
http://rhn.redhat.com/errata/RHSA-2016-1626.html
RHSA-2016:1626 - Security Advisory - Red Hat Customer Portal
-
http://www.splunk.com/view/SP-CAAAPSV
Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities | Splunk
-
http://www.securityfocus.com/bid/91226
Python 'urrlib2/urllib/httplib/http.client' HTTP Header Injection Vulnerability
Jump to