{"id":"CVE-2018-1000164","details":"gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in \"process_headers\" function in \"gunicorn/http/wsgi.py\" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.","aliases":["GHSA-32pc-xphx-q4f6","PYSEC-2018-55"],"modified":"2026-03-14T09:27:02.929454Z","published":"2018-04-18T19:29:00.707Z","references":[{"type":"WEB","url":"https://usn.ubuntu.com/4022-1/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4186"},{"type":"REPORT","url":"https://github.com/benoitc/gunicorn/issues/1227"},{"type":"EVIDENCE","url":"https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/benoitc/gunicorn","events":[{"introduced":"0"},{"last_affected":"6dcd7a6ada1b6f9bd9d2840b12b4a6cee0e96301"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"19.4.5"}]}}],"versions":["0.10.1","0.11.0","0.11.1","0.11.2","0.12.0","0.12.2","0.13.0","0.13.1","0.13.2","0.13.3","0.13.4","0.14.0","0.14.1","0.14.2","0.14.3","0.14.4","0.14.5","0.14.6","0.15.0","0.16.0","0.16.1","0.17.0","0.17.1","0.17.2","0.17.3","0.17.4","0.2","0.2.1","0.3","0.3.1","0.3.2","0.4","0.4.1","0.4.2","0.5","0.5.1","0.6","0.6.1","0.6.2","0.6.3","0.6.4","0.6.6","0.6.7","0.7","0.7.0","0.7.1","0.7.2","0.8.2","0.9","0.9.0","0.9.1","17.5","18.0","19.0","19.1","19.1.1","19.2","19.2.1","19.3","19.4","19.4.1","19.4.2","19.4.4","19.4.5"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000164.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}