First published: Mon Jul 27 2020(Updated: )
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
Credit: report@snyk.io report@snyk.io
Affected Software | Affected Version | How to fix |
---|---|---|
Encode Uvicorn | <0.11.7 | |
pip/uvicorn | <0.11.7 | 0.11.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-7695 is a vulnerability in Uvicorn before 0.11.7 that allows for HTTP response splitting.
Attackers can exploit CVE-2020-7695 by using crafted input to add arbitrary headers to HTTP responses or return arbitrary response bodies.
CVE-2020-7695 has a severity score of 5.3 (medium).
Uvicorn versions up to and excluding 0.11.7 are affected by CVE-2020-7695.
To fix CVE-2020-7695, update Uvicorn to version 0.11.7 or later.