CVE-2020-26116

Опубликовано: 27 сент. 2020

Источник: nvd

CVSS3: 7.2

CVSS2: 6.4

EPSS Низкий

Описание

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
Mailing List
Third Party Advisory
https://bugs.python.org/issue39603
Exploit
Issue Tracking
Patch
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
https://python-security.readthedocs.io/vuln/http-header-injection-method.html
Patch
Third Party Advisory
https://security.gentoo.org/glsa/202101-18
Third Party Advisory
https://security.netapp.com/advisory/ntap-20201023-0001/
Third Party Advisory
https://usn.ubuntu.com/4581-1/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
Mailing List
Third Party Advisory
https://bugs.python.org/issue39603
Exploit
Issue Tracking
Patch
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 3.5.10 (исключая)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.6.0 (включая) до 3.6.12 (исключая)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.7.0 (включая) до 3.7.9 (исключая)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.8.0 (включая) до 3.8.5 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*

Конфигурация 5

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 6

cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Конфигурация 7

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

EPSS

Процентиль: 74%

0.00832

Низкий

7.2 High

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-74

Связанные уязвимости

CVE-2020-26116

CVSS3: 7.2

ubuntu

больше 5 лет назад

CVE-2020-26116

CVSS3: 6.5

redhat

почти 6 лет назад

CVE-2020-26116

CVSS3: 7.2

msrc

около 5 лет назад

http.client in Python 3.x before 3.5.10 3.6.x before 3.6.12 3.7.x before 3.7.9 and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

CVE-2020-26116

CVSS3: 7.2

debian

больше 5 лет назад

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x be ...

openSUSE-SU-2020:1988-1

suse-cvrf

около 5 лет назад

Security update for python

EPSS

Процентиль: 74%

0.00832

Низкий

7.2 High

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-74