CVE-2016-5699

Description

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

How to fix CVE-2016-5699

To remediate CVE-2016-5699, upgrade the affected package to a fixed version below.

Debian/python2.7—upgrade to 2.7.10~rc1-1 or later

Is CVE-2016-5699 being exploited?

Moderate — EPSS is 41.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.7.10~rc1-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-5699