gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in process_headers function in gunicorn/http/wsgi.py that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Gunicorn | Gunicorn | 19.4.5 (including) | 19.4.5 (including) |
Gunicorn | Ubuntu | trusty | * |
Gunicorn | Ubuntu | trusty/esm | * |
Gunicorn | Ubuntu | upstream | * |
Gunicorn | Ubuntu | xenial | * |