It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | python26 | 2016-07-20 18:00 | ALAS-2016-724 |
Amazon Linux 1 | python27 | 2016-07-20 18:00 | ALAS-2016-724 |
Amazon Linux 1 | python34 | 2016-07-20 18:00 | ALAS-2016-724 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
Amazon Linux | CVSSv3 | 5.3 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
NVD | CVSSv3 | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |