Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2020-26116

Опубликовано: 27 сент. 2020
Источник: debian

Описание

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python3.9fixed3.9.0~b5-1package
python3.8fixed3.8.5-1package
python3.7removedpackage
python3.7fixed3.7.3-2+deb10u3busterpackage
python3.5removedpackage
python2.7removedpackage
python2.7ignoredbullseyepackage
pypy3fixed7.3.3+dfsg-1package

Примечания

  • https://bugs.python.org/issue39603

  • https://python-security.readthedocs.io/vuln/http-header-injection-method.html

  • https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e (master)

  • https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71 (v3.9.0b5)

  • https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf (v3.8.5)

  • https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a (v3.7.9)

  • https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae (v3.6.12)

  • https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 (v3.5.10)

Связанные уязвимости

ubuntu логотип

CVE-2020-26116

CVSS3: 7.2
ubuntu
больше 4 лет назад

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

redhat логотип

CVE-2020-26116

CVSS3: 6.5
redhat
больше 5 лет назад

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

nvd логотип

CVE-2020-26116

CVSS3: 7.2
nvd
больше 4 лет назад

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

msrc логотип

CVE-2020-26116

CVSS3: 7.2
msrc
больше 4 лет назад

Описание отсутствует

suse-cvrf логотип

openSUSE-SU-2020:1988-1

suse-cvrf
больше 4 лет назад

Security update for python