urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
References
Link | Resource |
---|---|
https://bugs.python.org/issue39603 | Issue Tracking Vendor Advisory |
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b | Patch Third Party Advisory |
https://github.com/urllib3/urllib3/pull/1800 | Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html | |
https://usn.ubuntu.com/4570-1/ | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
25 Jul 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Dec 2021, 19:56
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html - Mailing List, Third Party Advisory | |
References | (UBUNTU) https://usn.ubuntu.com/4570-1/ - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* |
20 Oct 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Jun 2021, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-09-30 18:15
Updated : 2024-02-04 21:23
NVD link : CVE-2020-26137
Mitre link : CVE-2020-26137
CVE.ORG link : CVE-2020-26137
JSON object : View
Products Affected
debian
- debian_linux
oracle
- zfs_storage_appliance_kit
- communications_cloud_native_core_network_function_cloud_native_environment
python
- urllib3
canonical
- ubuntu_linux
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')