CVE-2020-26137

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References

https://bugs.python.org/issue39603

https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

https://github.com/urllib3/urllib3/pull/1800

https://usn.ubuntu.com/4570-1/

https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

Details

Source: MITRE

Published: 2020-09-30

Updated: 2021-06-15

Type: CWE-74

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Impact Score: 2.5

Exploitability Score: 3.9

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

Tenable Plugins

View all (21 total)

IDNameProductFamilySeverity
153744Photon OS 2.0: Python PHSA-2021-2.0-0393NessusPhotonOS Local Security Checks
medium
153687EulerOS 2.0 SP9 : python-urllib3 (EulerOS-SA-2021-2541)NessusHuawei Local Security Checks
medium
153685EulerOS 2.0 SP9 : python-urllib3 (EulerOS-SA-2021-2565)NessusHuawei Local Security Checks
medium
153655EulerOS 2.0 SP8 : python-urllib3 (EulerOS-SA-2021-2485)NessusHuawei Local Security Checks
medium
152896openSUSE 15 Security Update : aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 (openSUSE-SU-2021:1206-1)NessusSuSE Local Security Checks
medium
152767openSUSE 15 Security Update : aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 (openSUSE-SU-2021:2817-1)NessusSuSE Local Security Checks
medium
152766SUSE SLED15 / SLES15 Security Update : aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 (SUSE-SU-2021:2817-1)NessusSuSE Local Security Checks
medium
152764Oracle Linux 8 : python27:2.7 (ELSA-2021-1761)NessusOracle Linux Local Security Checks
critical
150967Amazon Linux 2 : python-urllib3 (ALAS-2021-1668)NessusAmazon Linux Local Security Checks
medium
150806Debian DLA-2686-1 : python-urllib3 security updateNessusDebian Local Security Checks
medium
150239Photon OS 3.0: Python PHSA-2021-3.0-0246NessusPhotonOS Local Security Checks
medium
149964Oracle Linux 8 : python-urllib3 (ELSA-2021-1631)NessusOracle Linux Local Security Checks
medium
149749CentOS 8 : python27:2.7 (CESA-2021:1761)NessusCentOS Local Security Checks
critical
149747CentOS 8 : python-urllib3 (CESA-2021:1631)NessusCentOS Local Security Checks
medium
149710RHEL 8 : python27:2.7 (RHSA-2021:1761)NessusRed Hat Local Security Checks
critical
149706RHEL 8 : python-urllib3 (RHSA-2021:1631)NessusRed Hat Local Security Checks
medium
145382openSUSE Security Update : python-urllib3 (openSUSE-2020-2282)NessusSuSE Local Security Checks
medium
145229RHEL 7 : OpenShift Container Platform 3.11.374 bug fix and (RHSA-2021:0079)NessusRed Hat Local Security Checks
medium
145089RHEL 7 : OpenShift Container Platform 4.5.27 packages and (RHSA-2021:0034)NessusRed Hat Local Security Checks
medium
144316openSUSE Security Update : python-urllib3 (openSUSE-2020-2237)NessusSuSE Local Security Checks
medium
141177Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : urllib3 vulnerability (USN-4570-1)NessusUbuntu Local Security Checks
medium