Candidate: CVE-2020-7694
PublicDate: 2020-07-27 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7694
 https://github.com/encode/uvicorn
 https://snyk.io/vuln/SNYK-PYTHON-UVICORN-575560
Description:
 This affects all versions of package uvicorn. The request logger provided
 by the package is vulnerable to ASNI escape sequence injection. Whenever
 any HTTP request is received, the default behaviour of uvicorn is to log
 its details to either the console or a log file. When attackers request
 crafted URLs with percent-encoded escape sequences, the logging component
 will log the URL after it's been processed with urllib.parse.unquote,
 therefore converting any percent-encoded characters into their
 single-character equivalent, which can have special meaning in terminal
 emulators. By requesting URLs with crafted paths, attackers can: * Pollute
 uvicorn's access logs, therefore jeopardising the integrity of such files.
 * Use ANSI sequence codes to attempt to interact with the terminal emulator
 that's displaying the logs (either in real time or from a file).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_python-uvicorn:
upstream_python-uvicorn: needs-triage
precise/esm_python-uvicorn: DNE
trusty_python-uvicorn: ignored (out of standard support)
trusty/esm_python-uvicorn: DNE
xenial_python-uvicorn: DNE
bionic_python-uvicorn: DNE
focal_python-uvicorn: needs-triage
groovy_python-uvicorn: ignored (reached end-of-life)
hirsute_python-uvicorn: ignored (reached end-of-life)
impish_python-uvicorn: needs-triage
jammy_python-uvicorn: needs-triage
devel_python-uvicorn: needs-triage