Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-26137

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Published

2020-09-30T18:15:26.773

Last Modified

2024-11-21T05:19:19.680

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	python	urllib3	< 1.25.9	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	canonical	ubuntu_linux	20.04	Yes
Operating System	debian	debian_linux	9.0	Yes
Application	oracle	communications_cloud_native_core_network_function_cloud_native_environment	22.2.0	Yes
Application	oracle	zfs_storage_appliance_kit	8.8	Yes

References

https://bugs.python.org/issue39603 Issue Tracking, Vendor Advisory ([email protected])
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Patch, Third Party Advisory ([email protected])
https://github.com/urllib3/urllib3/pull/1800 Patch, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html ([email protected])
https://usn.ubuntu.com/4570-1/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
https://bugs.python.org/issue39603 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/urllib3/urllib3/pull/1800 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4570-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)