HTTP header splitting in gunicorn 19.4.5 (CVE-2018-1000164)April 2, 2018
- 02 Apr 2018: This post is published
- 02 Apr 2018: CVE ID requested
- 06 Apr 2018: CVE-2018-1000164 assigned
During a vulnerability research spree, I came across this GitHub issue titled Potential HTTP Response Splitting Vulnerability, belonging to the gunicorn project. The title says “potential”, but the vulnerability was present and got fixed in commit 6c3d8.
Unfortunately, this vulnerability hasn’t been reported to MITRE nor to the Distributed Weakness Filing System (DWF); therefore it’s not listed in any public CVE database. In an effort to spread this information to anyone considering using this version of gunicorn, I’ll fill in a DWF report hoping this issue gets a CVE ID.
An HTTP header splitting vulnerability is caused by not sanitizing strings containing characters with special meaning in HTTP (such as
LF) in data that will later be used to generate HTTP headers.
We can test this vulnerability by creating a Python2 virtual environment with gunicorn 19.4.5 installed:
The following code (
myapp.py) will define both
We can run this by executing
gunicorn -w 4 myapp:app and going to
http://127.0.0.1:8000. Here’s the resulting HTTP response:
If we attempt to do this in gunicorn 19.5.0+, this will be the resulting HTTP response:
This behavior is expected, thanks to commit 6c3d8.