CVE-2020-26137

medium

Description

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://usn.ubuntu.com/4570-1/

https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html

https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

https://github.com/urllib3/urllib3/pull/1800

https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

https://bugs.python.org/issue39603

Details

Source: Mitre, NVD

Published: 2020-09-30

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N