CVE-2020-26116

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

References

https://bugs.python.org/issue39603

https://python-security.readthedocs.io/vuln/http-header-injection-method.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/

https://lists.fedoraproject.org/archives/list/[email protected]/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/

https://usn.ubuntu.com/4581-1/

https://security.netapp.com/advisory/ntap-20201023-0001/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/

https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html

https://security.gentoo.org/glsa/202101-18

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2020-09-27

Updated: 2021-10-20

Type: CWE-116

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Tenable Plugins

View all (47 total)

IDNameProductFamilySeverity
152937RHEL 8 : python3 (RHSA-2021:3366)NessusRed Hat Local Security Checks
high
152764Oracle Linux 8 : python27:2.7 (ELSA-2021-1761)NessusOracle Linux Local Security Checks
critical
151380EulerOS Virtualization 3.0.2.2 : python (EulerOS-SA-2021-2159)NessusHuawei Local Security Checks
critical
151340EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2021-2096)NessusHuawei Local Security Checks
critical
150670SUSE SLES11 Security Update : python (SUSE-SU-2020:14550-1)NessusSuSE Local Security Checks
high
150032CentOS 8 : python38:3.8 (CESA-2021:1879)NessusCentOS Local Security Checks
critical
149959Oracle Linux 8 : python3 (ELSA-2021-1633)NessusOracle Linux Local Security Checks
critical
149749CentOS 8 : python27:2.7 (CESA-2021:1761)NessusCentOS Local Security Checks
critical
149729CentOS 8 : python3 (CESA-2021:1633)NessusCentOS Local Security Checks
critical
149712RHEL 8 : python3 (RHSA-2021:1633)NessusRed Hat Local Security Checks
critical
149710RHEL 8 : python27:2.7 (RHSA-2021:1761)NessusRed Hat Local Security Checks
critical
149708RHEL 8 : python38:3.8 (RHSA-2021:1879)NessusRed Hat Local Security Checks
critical
148008Ubuntu 18.04 LTS / 20.04 LTS : Python vulnerabilities (USN-4754-3)NessusUbuntu Local Security Checks
critical
147696EulerOS Virtualization 2.9.0 : python3 (EulerOS-SA-2021-1649)NessusHuawei Local Security Checks
critical
147485EulerOS Virtualization 2.9.1 : python3 (EulerOS-SA-2021-1623)NessusHuawei Local Security Checks
critical
147474EulerOS Virtualization 3.0.2.6 : python (EulerOS-SA-2021-1449)NessusHuawei Local Security Checks
high
147120EulerOS Virtualization for ARM 64 3.0.6.0 : python3 (EulerOS-SA-2021-1560)NessusHuawei Local Security Checks
critical
147105EulerOS Virtualization 3.0.6.6 : python (EulerOS-SA-2021-1512)NessusHuawei Local Security Checks
critical
147031EulerOS Virtualization for ARM 64 3.0.6.0 : python2 (EulerOS-SA-2021-1543)NessusHuawei Local Security Checks
critical
146127EulerOS 2.0 SP5 : python (EulerOS-SA-2021-1226)NessusHuawei Local Security Checks
critical
145389openSUSE Security Update : python3 (openSUSE-2020-2333)NessusSuSE Local Security Checks
critical
145326openSUSE Security Update : python3 (openSUSE-2020-2332)NessusSuSE Local Security Checks
critical
145303GLSA-202101-18 : Python: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
145144EulerOS 2.0 SP3 : python (EulerOS-SA-2021-1114)NessusHuawei Local Security Checks
critical
144586SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1)NessusSuSE Local Security Checks
critical
143876SUSE SLES12 Security Update : python (SUSE-SU-2020:3121-1)NessusSuSE Local Security Checks
high
143854SUSE SLES12 Security Update : python3 (SUSE-SU-2020:3262-1)NessusSuSE Local Security Checks
high
143830SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:3115-1)NessusSuSE Local Security Checks
high
143646SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3563-1)NessusSuSE Local Security Checks
high
143182openSUSE Security Update : python (openSUSE-2020-1988)NessusSuSE Local Security Checks
high
143104Debian DLA-2456-1 : python3.5 security updateNessusDebian Local Security Checks
high
142975Amazon Linux AMI : python27 (ALAS-2020-1454)NessusAmazon Linux Local Security Checks
high
142935Fedora 32 : mingw-python3 (2020-d42cb01973)NessusFedora Local Security Checks
high
142630openSUSE Security Update : python (openSUSE-2020-1859)NessusSuSE Local Security Checks
high
142360EulerOS 2.0 SP9 : python3 (EulerOS-SA-2020-2419)NessusHuawei Local Security Checks
high
142308EulerOS 2.0 SP2 : python (EulerOS-SA-2020-2388)NessusHuawei Local Security Checks
high
142243EulerOS 2.0 SP9 : python3 (EulerOS-SA-2020-2437)NessusHuawei Local Security Checks
high
142161EulerOS 2.0 SP8 : python2 (EulerOS-SA-2020-2317)NessusHuawei Local Security Checks
high
142147EulerOS 2.0 SP8 : python3 (EulerOS-SA-2020-2318)NessusHuawei Local Security Checks
high
142104Fedora 31 : python2 (2020-e33acdea18)NessusFedora Local Security Checks
high
141865Photon OS 3.0: Python3 PHSA-2020-3.0-0155NessusPhotonOS Local Security Checks
high
141521Fedora 32 : python34 (2020-d30881c970)NessusFedora Local Security Checks
high
141515Fedora 32 : python27 (2020-887d3fa26f)NessusFedora Local Security Checks
high
141478Photon OS 1.0: Python3 PHSA-2020-1.0-0332NessusPhotonOS Local Security Checks
high
141477Photon OS 2.0: Python3 PHSA-2020-2.0-0289NessusPhotonOS Local Security Checks
high
141459Ubuntu 16.04 LTS / 18.04 LTS : Python vulnerability (USN-4581-1)NessusUbuntu Local Security Checks
high
141277Fedora 33 : python2.7 (2020-221823ebdd)NessusFedora Local Security Checks
high