CVE-2020-26116

MEDIUM

Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

References

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html

https://bugs.python.org/issue39603

https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/

https://lists.fedoraproject.org/archives/list/[email protected]/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/

https://lists.fedoraproject.org/archives/list/[email protected]/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/

https://python-security.readthedocs.io/vuln/http-header-injection-method.html

https://security.gentoo.org/glsa/202101-18

https://security.netapp.com/advisory/ntap-20201023-0001/

https://usn.ubuntu.com/4581-1/

Details

Source: MITRE

Published: 2020-09-27

Updated: 2021-01-26

Type: CWE-116

Risk Information

CVSS v2.0

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Tenable Plugins

View all (35 total)

IDNameProductFamilySeverity
148008Ubuntu 18.04 LTS / 20.04 LTS : Python vulnerabilities (USN-4754-3)NessusUbuntu Local Security Checks
high
147696EulerOS : python3 (EulerOS-SA-2021-1649)NessusHuawei Local Security Checks
high
147485EulerOS : python3 (EulerOS-SA-2021-1623)NessusHuawei Local Security Checks
high
147474EulerOS Virtualization 3.0.2.6 : python (EulerOS-SA-2021-1449)NessusHuawei Local Security Checks
medium
147120EulerOS Virtualization for ARM 64 3.0.6.0 : python3 (EulerOS-SA-2021-1560)NessusHuawei Local Security Checks
high
147105EulerOS Virtualization 3.0.6.6 : python (EulerOS-SA-2021-1512)NessusHuawei Local Security Checks
high
147031EulerOS Virtualization for ARM 64 3.0.6.0 : python2 (EulerOS-SA-2021-1543)NessusHuawei Local Security Checks
high
146127EulerOS 2.0 SP5 : python (EulerOS-SA-2021-1226)NessusHuawei Local Security Checks
high
145389openSUSE Security Update : python3 (openSUSE-2020-2333)NessusSuSE Local Security Checks
high
145326openSUSE Security Update : python3 (openSUSE-2020-2332)NessusSuSE Local Security Checks
high
145303GLSA-202101-18 : Python: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
145144EulerOS 2.0 SP3 : python (EulerOS-SA-2021-1114)NessusHuawei Local Security Checks
high
144586SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1)NessusSuSE Local Security Checks
high
143876SUSE SLES12 Security Update : python (SUSE-SU-2020:3121-1)NessusSuSE Local Security Checks
medium
143854SUSE SLES12 Security Update : python3 (SUSE-SU-2020:3262-1)NessusSuSE Local Security Checks
medium
143830SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:3115-1)NessusSuSE Local Security Checks
medium
143646SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3563-1)NessusSuSE Local Security Checks
medium
143182openSUSE Security Update : python (openSUSE-2020-1988)NessusSuSE Local Security Checks
medium
143104Debian DLA-2456-1 : python3.5 security updateNessusDebian Local Security Checks
medium
142975Amazon Linux AMI : python27 (ALAS-2020-1454)NessusAmazon Linux Local Security Checks
medium
142935Fedora 32 : mingw-python3 (2020-d42cb01973)NessusFedora Local Security Checks
medium
142630openSUSE Security Update : python (openSUSE-2020-1859)NessusSuSE Local Security Checks
medium
142360EulerOS 2.0 SP9 : python3 (EulerOS-SA-2020-2419)NessusHuawei Local Security Checks
medium
142308EulerOS 2.0 SP2 : python (EulerOS-SA-2020-2388)NessusHuawei Local Security Checks
medium
142243EulerOS : python3 (EulerOS-SA-2020-2437)NessusHuawei Local Security Checks
medium
142161EulerOS 2.0 SP8 : python2 (EulerOS-SA-2020-2317)NessusHuawei Local Security Checks
medium
142147EulerOS 2.0 SP8 : python3 (EulerOS-SA-2020-2318)NessusHuawei Local Security Checks
medium
142104Fedora 31 : python2 (2020-e33acdea18)NessusFedora Local Security Checks
medium
141865Photon OS 3.0: Python3 PHSA-2020-3.0-0155NessusPhotonOS Local Security Checks
medium
141521Fedora 32 : python34 (2020-d30881c970)NessusFedora Local Security Checks
medium
141515Fedora 32 : python27 (2020-887d3fa26f)NessusFedora Local Security Checks
medium
141478Photon OS 1.0: Python3 PHSA-2020-1.0-0332NessusPhotonOS Local Security Checks
medium
141477Photon OS 2.0: Python3 PHSA-2020-2.0-0289NessusPhotonOS Local Security Checks
medium
141459Ubuntu 16.04 LTS / 18.04 LTS : Python vulnerability (USN-4581-1)NessusUbuntu Local Security Checks
medium
141277Fedora 33 : python2.7 (2020-221823ebdd)NessusFedora Local Security Checks
medium