Описание
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python3.9 | fixed | 3.9.0~b5-1 | package | |
| python3.8 | fixed | 3.8.5-1 | package | |
| python3.7 | removed | package | ||
| python3.7 | fixed | 3.7.3-2+deb10u3 | buster | package |
| python3.5 | removed | package | ||
| python2.7 | removed | package | ||
| python2.7 | ignored | bullseye | package | |
| pypy3 | fixed | 7.3.3+dfsg-1 | package |
Примечания
https://bugs.python.org/issue39603
https://python-security.readthedocs.io/vuln/http-header-injection-method.html
https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e (master)
https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71 (v3.9.0b5)
https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf (v3.8.5)
https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a (v3.7.9)
https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae (v3.6.12)
https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 (v3.5.10)
EPSS
Связанные уязвимости
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
http.client in Python 3.x before 3.5.10 3.6.x before 3.6.12 3.7.x before 3.7.9 and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
EPSS