Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-26137

Опубликовано: 10 фев. 2020
Источник: redhat
CVSS3: 6.5

Описание

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

A flaw was found in python-urllib3. The HTTPConnection.request() does not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation of the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.

Отчет

  • Red Hat OpenShift Container Platform (OCP) 4 delivers the python-urllib3 package, which includes a vulnerable version of the urllib3 module, however from OCP 4.6, the python-urllib3 package is no longer shipped and will not be fixed.
  • In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-urllib3 package. Note: Versions of python-pip are marked as not affected because there is no way for a pip user to control the HTTP request method.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6python-urllib3Out of support scope
Red Hat Enterprise Linux 7python-pipNot affected
Red Hat Enterprise Linux 8python38:3.8/python3x-pipNot affected
Red Hat Enterprise Linux 8python38:3.8/python-urllib3Not affected
Red Hat Enterprise Linux 8python-pipNot affected
Red Hat OpenStack Platform 10 (Newton)python-urllib3Out of support scope
Red Hat OpenStack Platform 13 (Queens)python-urllib3Will not fix
Red Hat Software Collectionspython27-python-pipNot affected
Red Hat Software Collectionsrh-mongodb36-python-urllib3Will not fix
Red Hat Software Collectionsrh-python36-python-pipNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-113
https://bugzilla.redhat.com/show_bug.cgi?id=1883632python-urllib3: CRLF injection via HTTP request method

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-26137

CVSS3: 6.5
ubuntu
больше 4 лет назад

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

nvd логотип

CVE-2020-26137

CVSS3: 6.5
nvd
больше 4 лет назад

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

msrc логотип

CVE-2020-26137

CVSS3: 6.5
msrc
больше 4 лет назад

Описание отсутствует

debian логотип

CVE-2020-26137

CVSS3: 6.5
debian
больше 4 лет назад

urllib3 before 1.25.9 allows CRLF injection if the attacker controls t ...

suse-cvrf логотип

openSUSE-SU-2021:2817-1

suse-cvrf
почти 4 года назад

Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3

6.5 Medium

CVSS3