CVE-2020-7695: HTTP Response Splitting
First published: Mon Jul 27 2020(Updated: )
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Encode Uvicorn | <0.11.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2020-7695?
CVE-2020-7695 is a vulnerability in Uvicorn before 0.11.7 that allows for HTTP response splitting.
How can an attacker exploit CVE-2020-7695?
Attackers can exploit CVE-2020-7695 by using crafted input to add arbitrary headers to HTTP responses or return arbitrary response bodies.
What is the severity of CVE-2020-7695?
CVE-2020-7695 has a severity score of 5.3 (medium).
Which software versions are affected by CVE-2020-7695?
Uvicorn versions up to and excluding 0.11.7 are affected by CVE-2020-7695.
How can I fix CVE-2020-7695?
To fix CVE-2020-7695, update Uvicorn to version 0.11.7 or later.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- vendor/encode
- canonical/encode uvicorn