urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
References
Link | Resource |
---|---|
https://bugs.python.org/issue39603 | Issue Tracking Vendor Advisory |
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b | Patch Third Party Advisory |
https://github.com/urllib3/urllib3/pull/1800 | Patch Third Party Advisory |
https://usn.ubuntu.com/4570-1/ | Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html | Mailing List Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Information
Published : 2020-09-30 11:15
Updated : 2023-01-31 13:36
NVD link : CVE-2020-26137
Mitre link : CVE-2020-26137
JSON object : View
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Products Affected
oracle
- communications_cloud_native_core_network_function_cloud_native_environment
- zfs_storage_appliance_kit
canonical
- ubuntu_linux
debian
- debian_linux
python
- urllib3