CVE-2020-26137

medium

Description

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References

https://bugs.python.org/issue39603

https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

https://github.com/urllib3/urllib3/pull/1800

https://usn.ubuntu.com/4570-1/

https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpujul2022.html

Details

Source: MITRE

Published: 2020-09-30

Updated: 2022-07-25

Type: CWE-74

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Impact Score: 2.5

Exploitability Score: 3.9

Severity: MEDIUM