VDB
CVE-2020-7695
CVE-2020-7695
PUBLISHED
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
EPSS 0.34% · 57.3th percentile
Risk Scores
EPSS Score
0.34%
57.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | python-uvicorn | 0, 0.13.3-1, 0.15.0-2ubuntu1 |
| Ubuntu:20.04:LTS | python-uvicorn | 0.11.1-1, 0.3.24-1, 0.11.2-1 |
| Ubuntu:25.10 | python-uvicorn | 0.32.0-3, 0 |
| Ubuntu:24.04:LTS | python-uvicorn | 0, 0.24.0-1build1, 0.25.0-1 |
Exploit Intelligence
Timeline
- Jul 27, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-7695 third-party-advisory
- https://github.com/encode/uvicorn third-party-advisory
- https://snyk.io/vuln/SNYK-PYTHON-UVICORN-570471 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-7695 third-party-advisory