CVE & CISA-KEV Catalog

CVE-2020-7694

LOW
3.7
CVSS v3
NVD

Description

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).

How to fix

Remediation Available
python-uvicornDebian
Fixed in:0.13.3-1CVE-2020-7694
Fixed in:0.13.3-1CVE-2020-7694
Fixed in:0.13.3-1CVE-2020-7694
Fixed in:0.13.3-1CVE-2020-7694

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityLow
IntegrityNone
AvailabilityNone

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploit Intelligence

1.34%probability of exploitation in 30 days
68thpercentile

Moderate risk: more likely to be exploited than 68% of all known CVEs.

References

Exploit1
Third-Party Advisory1
Embed a live status badge for CVE-2020-7694
CVE-2020-7694 severity badge

Markdown

[![CVE-2020-7694](https://tridentstack.com/cve/badge/CVE-2020-7694.svg)](https://tridentstack.com/cve/CVE-2020-7694)

HTML

<a href="https://tridentstack.com/cve/CVE-2020-7694"><img src="https://tridentstack.com/cve/badge/CVE-2020-7694.svg" alt="CVE-2020-7694"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.