Your submission was sent successfully! Close

CVE-2018-1000164

Published: 18 April 2018

gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.

From the Ubuntu Security Team

It was discovered that gunicorn improperly handled certain input. An attacker could potentially use this issue execute a cross-site scripting (XSS) attack.

Notes

AuthorNote
mdeslaur
there are no reverse-depends on gunicorn in trusty, lowering
priority to low
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
gunicorn
Launchpad, Ubuntu, Debian
artful Not vulnerable
(19.7.1-3)
bionic Not vulnerable

cosmic Not vulnerable

disco Not vulnerable

eoan Not vulnerable

focal Not vulnerable

groovy Not vulnerable

hirsute Not vulnerable

impish Not vulnerable

jammy Not vulnerable

precise Does not exist

trusty Needed

upstream
Released (19.5.0-1)
xenial
Released (19.4.5-1ubuntu1.1)
Patches:
upstream: https://github.com/benoitc/gunicorn/commit/5263a4ef2a63c62216680876f3813959839608ff
upstream: https://github.com/benoitc/gunicorn/pull/1229/files