CVE-2015-5285

medium

Published 2015-10-29 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

5.0

VIR risk

5.0

Description

CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came_from parameter to _admin/login.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://kallithea-scm.org/security/cve-2015-5285.html

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	kallithea	`<0.3`	`0.3`

Application impact

Vendor	Product	Versions	Fixed
kallithea-scm	kallithea	`{"endIncluding":"0.2"}`

References

http://packetstormsecurity.com/files/133897/Kallithea-0.2.9-HTTP-Response-Splitting.html
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
https://kallithea-scm.org/security/cve-2015-5285.html
https://www.exploit-db.com/exploits/38424/
https://nvd.nist.gov/vuln/detail/CVE-2015-5285
https://github.com/NexMirror/Kallithea
https://github.com/pypa/advisory-database/tree/main/vulns/kallithea/PYSEC-2015-13.yaml
https://www.exploit-db.com/exploits/38424

Verify integrity in audit chain (admin only). AS-IS.