Lucene search

[email protected]CVE-2020-7694

HistoryJul 27, 2020 - 12:15 p.m.

CVE-2020-7694

2020-07-2712:15:11

CWE-116

CWE-94

[email protected]

web.nvd.nist.gov

cve-2020-7694

uvicorn

package

ansi escape sequence

injection

request logger

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

49.8%

JSON

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it’s been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn’s access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that’s displaying the logs (either in real time or from a file).

Affected configurations

NVD

Node

encodeuvicornMatch-

CPENameOperatorVersion
encode:uvicornencode uvicorneq-

CPE	Name	Operator	Version
encode:uvicorn	encode uvicorn	eq	-

CNA Affected

[
  {
    "product": "uvicorn",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]