Описание
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
A flaw was found in python-httplib2. An attacker controlling an unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.
Отчет
While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay. Red Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low. This issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows. There's currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed. In Red Hat OpenStack Platform13, because the flaw has a lower impact and the package's indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Engine 2 | python-httplib2 | Out of support scope | ||
| Red Hat Ansible Tower 3 | python-httplib2 | Out of support scope | ||
| Red Hat Ceph Storage 2 | python-httplib2 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python-httplib2 | Fix deferred | ||
| Red Hat OpenStack Platform 10 (Newton) | python-httplib2 | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | python-httplib2 | Will not fix | ||
| Red Hat Quay 3 | python-httplib2 | Will not fix | ||
| Red Hat Storage 3 | python-httplib2 | Affected | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | python-httplib2 | Fix deferred | ||
| Red Hat Enterprise Linux 7 | resource-agents | Fixed | RHSA-2020:5004 | 10.11.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
In httplib2 before version 0.18.0, an attacker controlling unescaped p ...
ELSA-2020-5947: resource-agents security update (IMPORTANT)
EPSS
6.8 Medium
CVSS3