The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability CVE-2016-5699

Python: header tampering via urllib2, urllib

Synthesis of the vulnerability

An attacker can change the HTTP request created by urllib.
Impacted systems: Debian, Fedora, openSUSE, openSUSE Leap, Solaris, Python, RHEL, Splunk Enterprise, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this alert: 2/4.
Consequences of an intrusion: user access/rights, data reading.
Pirate's origin: document.
Creation date: 17/06/2016.
Références of this alert: bulletinjul2016, CVE-2016-5699, DLA-1663-1, DLA-522-1, FEDORA-2016-34ca5273e9, FEDORA-2016-6c2b74bb96, FEDORA-2016-b046b56518, FEDORA-2016-ef784cf9f7, openSUSE-SU-2016:1885-1, openSUSE-SU-2016:2120-1, RHSA-2016:1626-01, RHSA-2016:1627-01, RHSA-2016:1628-01, RHSA-2016:1629-01, RHSA-2016:1630-01, SP-CAAAPSR, SPL-128812, SUSE-SU-2019:0223-1, USN-3134-1, VIGILANCE-VUL-19925.

Description of the vulnerability

The urllib module of the Python library is an HTTP client.

However, the urllib module accepts HTTP headers at the end of the URL. The headers will be inserted before the ones added by urllib.

An attacker can therefore change the HTTP request created by urllib.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides computers vulnerabilities announces. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.