{"id":"PYSEC-2014-73","details":"ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.","aliases":["CVE-2012-5486","GHSA-77hv-8796-8ccp","PYSEC-2014-28"],"modified":"2023-11-08T03:57:08.503914Z","published":"2014-09-30T14:55:00Z","references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2012/11/10/1"},{"type":"WEB","url":"https://bugs.launchpad.net/zope2/+bug/930812"},{"type":"ADVISORY","url":"https://plone.org/products/plone/security/advisories/20121106/02"},{"type":"WEB","url":"https://plone.org/products/plone-hotfix/releases/20121106"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2014-1194.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-77hv-8796-8ccp"}],"affected":[{"package":{"name":"zope2","ecosystem":"PyPI","purl":"pkg:pypi/zope2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.13.19"}]}],"versions":["2.12.0","2.12.0.a1","2.12.0a2","2.12.0a3","2.12.0a4","2.12.0b1","2.12.0b2","2.12.0b3","2.12.0b4","2.12.0c1","2.12.1","2.12.10","2.12.11","2.12.12","2.12.13","2.12.14","2.12.15","2.12.16","2.12.17","2.12.18","2.12.19","2.12.2","2.12.20","2.12.21","2.12.22","2.12.23","2.12.24","2.12.25","2.12.26","2.12.27","2.12.28","2.12.3","2.12.4","2.12.5","2.12.6","2.12.7","2.12.8","2.12.9","2.13.0","2.13.0a1","2.13.0a2","2.13.0a3","2.13.0a4","2.13.0b1","2.13.0c1","2.13.1","2.13.10","2.13.11","2.13.12","2.13.13","2.13.14","2.13.15","2.13.16","2.13.17","2.13.18","2.13.2","2.13.3","2.13.4","2.13.5","2.13.6","2.13.7","2.13.8","2.13.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/zope2/PYSEC-2014-73.yaml"}}],"schema_version":"1.7.3"}