CVE-2020-7695
HTTP response splitting in uvicorn
7.5
HIGH
CVSS 3.1
EPSS 0.34%
Description
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
How to fix CVE-2020-7695
To remediate CVE-2020-7695, upgrade the affected package to a fixed version below.
- —upgrade to 0.13.3-1 or later
- —upgrade to 0.11.7 or later
- —upgrade to 0.11.7 or later
Is CVE-2020-7695 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 0.13.3-1
- from 0, < 0.11.7
- from 0, < 0.11.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |