Medium severity6.1NVD Advisory· Published Sep 2, 2016· Updated May 6, 2026
CVE-2016-5699
CVE-2016-5699
Description
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
19- hg.python.org/cpython/rev/1c45047c5102nvdPatch
- hg.python.org/cpython/rev/bf3e1c9b80e9nvdPatch
- blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.htmlnvdExploitThird Party Advisory
- www.openwall.com/lists/oss-security/2016/06/14/7nvdMailing List
- www.openwall.com/lists/oss-security/2016/06/15/12nvdMailing List
- www.openwall.com/lists/oss-security/2016/06/16/2nvdMailing List
- docs.python.org/3.4/whatsnew/changelog.htmlnvdRelease Notes
- hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWSnvdRelease Notes
- lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-1626.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-1627.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-1628.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-1629.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-1630.htmlnvd
- www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.htmlnvd
- www.securityfocus.com/bid/91226nvd
- www.splunk.com/view/SP-CAAAPSVnvd
- www.splunk.com/view/SP-CAAAPUEnvd
- lists.debian.org/debian-lts-announce/2019/02/msg00011.htmlnvd
News mentions
0No linked articles in our index yet.