PyPI: uwsgi
CVE-2023-27522
Safety vulnerability ID: SFTY-20230307-12676
Safety legacy ID: pyup.io-71321
Affected versions of Uwsgi are vulnerable to HTTP Response splitting. An attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.
Overview
Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling
Advisory
Affected versions of Uwsgi are vulnerable to HTTP Response splitting. An attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20230307-12676/CVE-2023-27522
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27522
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
- https://github.com/unbit/uwsgi/commit/2abdd3df894d41edc512500bfc5b77650fee7d13
- https://nvd.nist.gov/vuln/detail/CVE-2023-27522
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html
- https://github.com/apache/httpd/commit/d753ea76b5972a85349b68c31b59d04c60014f2d
- https://github.com/unbit/uwsgi/commit/58ee1df31fa9e9af106aaeabb82374c36b433822
- https://github.com/unbit/uwsgi/commit/acb03530aaaeaa810f28a5b64da619525940f569
- https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.22.html
- https://security.gentoo.org/glsa/202309-01
- https://github.com/advisories/GHSA-vcph-37mh-fqrh
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more