CVE-2018-1000164:
Gunicorn contains Improper Neutralization of CRLF sequences in HTTP headers
7.5
CVSS ScoreBasic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
7/12/2018
Updated
9/20/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
gunicorn | pip | < 19.5.0 | 19.5.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability description explicitly names 'process_headers' in 'gunicorn/http/wsgi.py' as the vulnerable function.
- Multiple authoritative sources (CVE, GHSA, Debian/Ubuntu security notices) confirm this function's role in header processing vulnerabilities.
- The CWE-93 classification directly maps to improper CRLF neutralization in HTTP headers.
- The issue #1227 in benoitc/gunicorn demonstrates practical exploitation scenarios involving CRLF injection through header manipulation.
- The patch in version 19.5.0 would logically target this specific header processing function.