{"id":"PYSEC-2018-55","details":"gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in \"process_headers\" function in \"gunicorn/http/wsgi.py\" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.","aliases":["CVE-2018-1000164","GHSA-32pc-xphx-q4f6"],"modified":"2023-11-08T03:59:36.379813Z","published":"2018-04-18T19:29:00Z","references":[{"type":"REPORT","url":"https://github.com/benoitc/gunicorn/issues/1227"},{"type":"WEB","url":"https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4186"},{"type":"WEB","url":"https://usn.ubuntu.com/4022-1/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-32pc-xphx-q4f6"}],"affected":[{"package":{"name":"gunicorn","ecosystem":"PyPI","purl":"pkg:pypi/gunicorn"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"19.5.0"}]}],"versions":["0.1","0.10.0","0.10.1","0.11.0","0.11.1","0.11.2","0.12.0","0.12.1","0.12.2","0.13.0","0.13.1","0.13.2","0.13.3","0.13.4","0.14.0","0.14.1","0.14.2","0.14.3","0.14.4","0.14.5","0.14.6","0.15.0","0.16.0","0.16.1","0.17.0","0.17.1","0.17.2","0.17.3","0.17.4","0.2","0.2.1","0.3","0.3.1","0.3.2","0.4","0.4.1","0.4.2","0.5","0.5.1","0.6","0.6.1","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.7.0","0.7.1","0.7.2","0.8.0","0.8.1","0.9.0","0.9.1","17.5","18.0","19.0.0","19.1.0","19.1.1","19.2.0","19.2.1","19.3.0","19.4.0","19.4.1","19.4.2","19.4.3","19.4.4","19.4.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/gunicorn/PYSEC-2018-55.yaml"}}],"schema_version":"1.7.3"}