Описание
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 2.7.17-1~18.04ubuntu1 |
| devel | DNE | |
| disco | ignored | end of life |
| eoan | ignored | end of life |
| esm-apps/focal | not-affected | 2.7.18~rc1-2 |
| esm-apps/jammy | not-affected | 2.7.18~rc1-2 |
| esm-infra-legacy/trusty | not-affected | 2.7.6-8ubuntu0.6+esm5 |
| esm-infra/bionic | not-affected | 2.7.17-1~18.04ubuntu1 |
| esm-infra/xenial | not-affected | 2.7.12-1ubuntu0~16.04.11 |
| focal | not-affected | 2.7.18~rc1-2 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | not-affected | 3.4.3-1ubuntu1~14.04.7+esm6 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| groovy | DNE | |
| hirsute | DNE | |
| impish | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | not-affected | 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1 |
| esm-infra/focal | DNE | |
| esm-infra/xenial | not-affected | 3.5.2-2ubuntu0~16.04.10 |
| focal | DNE | |
| groovy | DNE | |
| hirsute | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 3.6.9-1~18.04ubuntu1 |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/bionic | not-affected | 3.6.9-1~18.04ubuntu1 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| groovy | DNE | |
| hirsute | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needed |
| devel | DNE | |
| disco | ignored | end of life |
| eoan | released | 3.7.5-2~19.10ubuntu1 |
| esm-apps/bionic | released | 3.7.5-2ubuntu1~18.04.2+esm3 |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| groovy | DNE | |
| hirsute | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needed |
| devel | DNE | |
| disco | ignored | end of life |
| eoan | ignored | end of life |
| esm-apps/bionic | released | 3.8.0-3ubuntu1~18.04.2+esm2 |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/focal | not-affected | 3.8.2-1ubuntu1.1 |
| focal | released | 3.8.2-1ubuntu1.1 |
| groovy | released | 3.8.2-1ubuntu1.1 |
| hirsute | DNE |
Показывать по
EPSS
4.3 Medium
CVSS2
6.1 Medium
CVSS3
Связанные уязвимости
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and ur ...
EPSS
4.3 Medium
CVSS2
6.1 Medium
CVSS3