CVE-2020-26116

Опубликовано: 27 сент. 2020

Источник: nvd

CVSS3: 7.2

CVSS2: 6.4

EPSS Низкий

Описание

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
Mailing List
Third Party Advisory
https://bugs.python.org/issue39603
Exploit
Issue Tracking
Patch
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
https://python-security.readthedocs.io/vuln/http-header-injection-method.html
Patch
Third Party Advisory
https://security.gentoo.org/glsa/202101-18
Third Party Advisory
https://security.netapp.com/advisory/ntap-20201023-0001/
Third Party Advisory
https://usn.ubuntu.com/4581-1/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
Mailing List
Third Party Advisory
https://bugs.python.org/issue39603
Exploit
Issue Tracking
Patch
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 3.5.10 (исключая)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.6.0 (включая) до 3.6.12 (исключая)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.7.0 (включая) до 3.7.9 (исключая)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Версия от 3.8.0 (включая) до 3.8.5 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*

Конфигурация 5

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 6

cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Конфигурация 7

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

EPSS

Процентиль: 66%

0.00513

Низкий

7.2 High

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-74

Связанные уязвимости

CVE-2020-26116

CVSS3: 7.2

ubuntu

больше 4 лет назад

CVE-2020-26116

CVSS3: 6.5

redhat

больше 5 лет назад

CVE-2020-26116

CVSS3: 7.2

msrc

больше 4 лет назад

Описание отсутствует

CVE-2020-26116

CVSS3: 7.2

debian

больше 4 лет назад

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x be ...

openSUSE-SU-2020:1988-1

suse-cvrf

больше 4 лет назад

Security update for python

EPSS

Процентиль: 66%

0.00513

Низкий

7.2 High

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-74