Описание
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.
Отчет
Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | python | Out of support scope | ||
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python3 | Will not fix | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Quay 3 | quay | Affected | ||
| Red Hat Enterprise Linux 7 | python | Fixed | RHSA-2022:5235 | 28.06.2022 |
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2021:1633 | 18.05.2021 |
| Red Hat Enterprise Linux 8 | python27 | Fixed | RHSA-2021:1761 | 18.05.2021 |
| Red Hat Enterprise Linux 8 | python38 | Fixed | RHSA-2021:1879 | 18.05.2021 |
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2021:1633 | 18.05.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x be ...
EPSS
6.5 Medium
CVSS3