Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-0391

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Published

2022-02-09T23:15:16.580

Last Modified

2024-11-21T06:38:31.507

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-74
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	python	python	< 3.6.14	Yes
Application	python	python	< 3.7.11	Yes
Application	python	python	< 3.8.11	Yes
Application	python	python	< 3.9.5	Yes
Application	python	python	3.10.0	Yes
Application	python	python	3.10.0	Yes
Application	python	python	3.10.0	Yes
Application	python	python	3.10.0	Yes
Application	python	python	3.10.0	Yes
Application	python	python	3.10.0	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	hci	-	Yes
Application	netapp	management_services_for_element_software	-	Yes
Application	netapp	ontap_select_deploy_administration_utility	-	Yes
Application	netapp	solidfire\,_enterprise_sds_\&_hci_storage_node	-	Yes
Hardware	netapp	hci_compute_node	-	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Application	oracle	http_server	12.2.1.3.0	Yes
Application	oracle	http_server	12.2.1.4.0	Yes
Application	oracle	zfs_storage_appliance_kit	8.8	Yes

References

https://bugs.python.org/issue43882 Exploit, Issue Tracking, Patch, Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/ ([email protected])
https://security.gentoo.org/glsa/202305-02 ([email protected])
https://security.netapp.com/advisory/ntap-20220225-0009/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://bugs.python.org/issue43882 Exploit, Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202305-02 (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220225-0009/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)