Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-26137 (GCVE-0-2020-26137)
Vulnerability from cvelistv5 – Published: 2020-09-29 00:00 – Updated: 2024-08-04 15:49
VLAI
EPSS
Summary
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Severity
6.5 (Medium)
CWE
- n/a
Assigner
References
8 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:07.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.python.org/issue39603"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "USN-4570-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-08T13:06:22.131Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.python.org/issue39603"
},
{
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "USN-4570-1",
"tags": [
"vendor-advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26137",
"datePublished": "2020-09-29T00:00:00.000Z",
"dateReserved": "2020-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:49:07.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-26137",
"date": "2026-06-21",
"epss": "0.02199",
"percentile": "0.80189"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.25.9\", \"matchCriteriaId\": \"3EF5A26A-E388-4422-933C-6E2028A1C158\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*\", \"matchCriteriaId\": \"7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4B77BFB7-C105-4A42-A9A4-45EF4EC8556F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D3E503FB-6279-4D4A-91D8-E237ECF9D2B0\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.\"}, {\"lang\": \"es\", \"value\": \"urllib3 versiones anteriores a 1.25.9, permite una inyecci\\u00f3n de CRLF si el atacante controla el m\\u00e9todo de petici\\u00f3n HTTP, como es demostrado al insertar caracteres de control CR y LF en el primer argumento de la funci\\u00f3n putrequest().\u0026#xa0;NOTA: esto es similar a CVE-2020-26116\"}]",
"id": "CVE-2020-26137",
"lastModified": "2024-11-21T05:19:19.680",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-09-30T18:15:26.773",
"references": "[{\"url\": \"https://bugs.python.org/issue39603\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/urllib3/urllib3/pull/1800\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://usn.ubuntu.com/4570-1/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://bugs.python.org/issue39603\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/urllib3/urllib3/pull/1800\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://usn.ubuntu.com/4570-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-74\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-26137\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-09-30T18:15:26.773\",\"lastModified\":\"2024-11-21T05:19:19.680\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.\"},{\"lang\":\"es\",\"value\":\"urllib3 versiones anteriores a 1.25.9, permite una inyecci\u00f3n de CRLF si el atacante controla el m\u00e9todo de petici\u00f3n HTTP, como es demostrado al insertar caracteres de control CR y LF en el primer argumento de la funci\u00f3n putrequest().\u0026#xa0;NOTA: esto es similar a CVE-2020-26116\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.9\",\"matchCriteriaId\":\"3EF5A26A-E388-4422-933C-6E2028A1C158\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*\",\"matchCriteriaId\":\"7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B77BFB7-C105-4A42-A9A4-45EF4EC8556F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3E503FB-6279-4D4A-91D8-E237ECF9D2B0\"}]}]}],\"references\":[{\"url\":\"https://bugs.python.org/issue39603\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/pull/1800\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://usn.ubuntu.com/4570-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.python.org/issue39603\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/pull/1800\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4570-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
CERTFR-2024-AVI-0385
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services (Certified Container) toutes versions sans le dernier correctif de sécurité | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions 6.2.x antérieures à 6.2.0.23 | ||
| IBM | N/A | AIX et VIOS sans le dernier correctif de sécurité | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions antérieures à 6.1.0.24 | ||
| IBM | QRadar | SOAR QRadar Plugin App versions antérieures à 5.4.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions 6.3.x antérieures à 6.3.0.7 | ||
| IBM | QRadar SIEM | QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP8 IF02 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Sterling Connect:Direct Web Services (Certified Container) toutes versions sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.23",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "AIX et VIOS sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions ant\u00e9rieures \u00e0 6.1.0.24",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "SOAR QRadar Plugin App versions ant\u00e9rieures \u00e0 5.4.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.7",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP8 IF02",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-29483",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29483"
},
{
"name": "CVE-2024-20919",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20919"
},
{
"name": "CVE-2023-21938",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
},
{
"name": "CVE-2023-1382",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1382"
},
{
"name": "CVE-2023-4732",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4732"
},
{
"name": "CVE-2022-48564",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48564"
},
{
"name": "CVE-2023-6681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6681"
},
{
"name": "CVE-2023-3138",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3138"
},
{
"name": "CVE-2023-46813",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46813"
},
{
"name": "CVE-2023-46218",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46218"
},
{
"name": "CVE-2023-1838",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1838"
},
{
"name": "CVE-2024-27273",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27273"
},
{
"name": "CVE-2023-28328",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28328"
},
{
"name": "CVE-2023-51043",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51043"
},
{
"name": "CVE-2023-5633",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5633"
},
{
"name": "CVE-2023-52425",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52425"
},
{
"name": "CVE-2022-38457",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38457"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2022-45688",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45688"
},
{
"name": "CVE-2022-26691",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26691"
},
{
"name": "CVE-2023-21939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
},
{
"name": "CVE-2024-20926",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20926"
},
{
"name": "CVE-2023-5178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5178"
},
{
"name": "CVE-2023-50868",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50868"
},
{
"name": "CVE-2023-6536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6536"
},
{
"name": "CVE-2023-23455",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23455"
},
{
"name": "CVE-2020-10001",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10001"
},
{
"name": "CVE-2024-0646",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0646"
},
{
"name": "CVE-2021-33503",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33503"
},
{
"name": "CVE-2023-40283",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40283"
},
{
"name": "CVE-2022-45884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45884"
},
{
"name": "CVE-2023-50782",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50782"
},
{
"name": "CVE-2007-4559",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-4559"
},
{
"name": "CVE-2023-33951",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33951"
},
{
"name": "CVE-2024-28102",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28102"
},
{
"name": "CVE-2023-2163",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2163"
},
{
"name": "CVE-2022-42895",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42895"
},
{
"name": "CVE-2024-22361",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22361"
},
{
"name": "CVE-2024-20921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
},
{
"name": "CVE-2022-40133",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40133"
},
{
"name": "CVE-2023-4807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4807"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2023-45862",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45862"
},
{
"name": "CVE-2023-1989",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1989"
},
{
"name": "CVE-2020-3898",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3898"
},
{
"name": "CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"name": "CVE-2023-1855",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1855"
},
{
"name": "CVE-2018-20060",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20060"
},
{
"name": "CVE-2023-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25193"
},
{
"name": "CVE-2022-45869",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45869"
},
{
"name": "CVE-2023-2513",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2513"
},
{
"name": "CVE-2023-22081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22081"
},
{
"name": "CVE-2023-20569",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20569"
},
{
"name": "CVE-2023-4206",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4206"
},
{
"name": "CVE-2023-6817",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6817"
},
{
"name": "CVE-2023-31084",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31084"
},
{
"name": "CVE-2023-5072",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5072"
},
{
"name": "CVE-2022-45919",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45919"
},
{
"name": "CVE-2019-13224",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13224"
},
{
"name": "CVE-2022-41858",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41858"
},
{
"name": "CVE-2023-3611",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3611"
},
{
"name": "CVE-2023-4128",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4128"
},
{
"name": "CVE-2023-31436",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31436"
},
{
"name": "CVE-2023-1074",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1074"
},
{
"name": "CVE-2019-19204",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19204"
},
{
"name": "CVE-2023-42753",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42753"
},
{
"name": "CVE-2023-4921",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4921"
},
{
"name": "CVE-2023-33203",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33203"
},
{
"name": "CVE-2023-3812",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3812"
},
{
"name": "CVE-2023-32360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32360"
},
{
"name": "CVE-2023-27043",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27043"
},
{
"name": "CVE-2024-27269",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27269"
},
{
"name": "CVE-2021-43975",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43975"
},
{
"name": "CVE-2023-4207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4207"
},
{
"name": "CVE-2018-19787",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19787"
},
{
"name": "CVE-2023-22067",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22067"
},
{
"name": "CVE-2023-6356",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6356"
},
{
"name": "CVE-2024-1488",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1488"
},
{
"name": "CVE-2024-22195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
},
{
"name": "CVE-2023-1252",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1252"
},
{
"name": "CVE-2023-44794",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44794"
},
{
"name": "CVE-2022-3545",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3545"
},
{
"name": "CVE-2023-2176",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2176"
},
{
"name": "CVE-2023-2162",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2162"
},
{
"name": "CVE-2023-1079",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1079"
},
{
"name": "CVE-2022-36402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36402"
},
{
"name": "CVE-2023-33952",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33952"
},
{
"name": "CVE-2023-32324",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32324"
},
{
"name": "CVE-2023-36478",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36478"
},
{
"name": "CVE-2014-3146",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3146"
},
{
"name": "CVE-2023-45803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
},
{
"name": "CVE-2023-3772",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3772"
},
{
"name": "CVE-2022-4744",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4744"
},
{
"name": "CVE-2023-3161",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3161"
},
{
"name": "CVE-2023-35824",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35824"
},
{
"name": "CVE-2023-45871",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45871"
},
{
"name": "CVE-2023-1998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1998"
},
{
"name": "CVE-2023-28772",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28772"
},
{
"name": "CVE-2022-40982",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40982"
},
{
"name": "CVE-2019-16163",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16163"
},
{
"name": "CVE-2023-1786",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1786"
},
{
"name": "CVE-2023-1075",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1075"
},
{
"name": "CVE-2023-3609",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3609"
},
{
"name": "CVE-2023-38325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38325"
},
{
"name": "CVE-2023-4155",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4155"
},
{
"name": "CVE-2023-4208",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4208"
},
{
"name": "CVE-2023-35823",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35823"
},
{
"name": "CVE-2019-9740",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9740"
},
{
"name": "CVE-2023-26545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26545"
},
{
"name": "CVE-2022-3640",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3640"
},
{
"name": "CVE-2022-45887",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45887"
},
{
"name": "CVE-2023-6535",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6535"
},
{
"name": "CVE-2024-26130",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26130"
},
{
"name": "CVE-2023-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
},
{
"name": "CVE-2019-19203",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19203"
},
{
"name": "CVE-2023-1118",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1118"
},
{
"name": "CVE-2023-43804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
},
{
"name": "CVE-2023-33850",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
},
{
"name": "CVE-2023-2597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2597"
},
{
"name": "CVE-2022-48560",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48560"
},
{
"name": "CVE-2022-3594",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3594"
},
{
"name": "CVE-2023-34241",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34241"
},
{
"name": "CVE-2022-38096",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38096"
},
{
"name": "CVE-2023-4622",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4622"
},
{
"name": "CVE-2019-8696",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8696"
},
{
"name": "CVE-2020-26137",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26137"
},
{
"name": "CVE-2019-11324",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11324"
},
{
"name": "CVE-2023-3141",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3141"
},
{
"name": "CVE-2022-28388",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28388"
},
{
"name": "CVE-2023-30456",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30456"
},
{
"name": "CVE-2023-2004",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2004"
},
{
"name": "CVE-2023-5676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5676"
},
{
"name": "CVE-2023-6606",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6606"
},
{
"name": "CVE-2019-11236",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11236"
},
{
"name": "CVE-2023-6932",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6932"
},
{
"name": "CVE-2023-0458",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0458"
},
{
"name": "CVE-2023-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
},
{
"name": "CVE-2023-1073",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1073"
},
{
"name": "CVE-2023-3212",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3212"
},
{
"name": "CVE-2021-33631",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33631"
},
{
"name": "CVE-2023-50387",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50387"
},
{
"name": "CVE-2024-0985",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0985"
},
{
"name": "CVE-2024-20932",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20932"
},
{
"name": "CVE-2022-48624",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48624"
},
{
"name": "CVE-2023-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
},
{
"name": "CVE-2024-20918",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
},
{
"name": "CVE-2023-0597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0597"
},
{
"name": "CVE-2023-6546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6546"
},
{
"name": "CVE-2023-7192",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-7192"
},
{
"name": "CVE-2023-4132",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4132"
},
{
"name": "CVE-2024-1086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1086"
},
{
"name": "CVE-2023-1206",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1206"
},
{
"name": "CVE-2024-0565",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0565"
},
{
"name": "CVE-2019-8675",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8675"
},
{
"name": "CVE-2023-4623",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4623"
},
{
"name": "CVE-2023-51042",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51042"
},
{
"name": "CVE-2023-0590",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0590"
},
{
"name": "CVE-2024-20945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
},
{
"name": "CVE-2023-3268",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3268"
},
{
"name": "CVE-2023-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
},
{
"name": "CVE-2023-5717",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5717"
},
{
"name": "CVE-2019-19012",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19012"
},
{
"name": "CVE-2020-27783",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27783"
},
{
"name": "CVE-2024-20952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
},
{
"name": "CVE-2021-43818",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43818"
},
{
"name": "CVE-2021-43618",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43618"
},
{
"name": "CVE-2023-2166",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2166"
},
{
"name": "CVE-2023-1192",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1192"
},
{
"name": "CVE-2023-6931",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6931"
},
{
"name": "CVE-2023-6610",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6610"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0385",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-05-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0\ndistance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150297 du 06 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150297"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150684 du 09 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150684"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150803 du 09 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150803"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150277 du 05 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150277"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150196 du 03 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150196"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150798 du 09 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150798"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150804 du 09 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150804"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150799 du 09 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150799"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150276 du 05 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150276"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150802 du 09 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150802"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7150362 du 07 mai 2024",
"url": "https://www.ibm.com/support/pages/node/7150362"
}
]
}
CERTFR-2024-AVI-0903
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | N/A | WebSphere Application Server Liberty versions 20.0.12 à 24.0.0.10 sans le correctif de sécurité PH63533 ou antérieures à 24.0.0.11 (disponibilité prévue pour le dernier trimestre 2024) | ||
| IBM | N/A | QRadar Incident Forensics versions 7.5.x antérieures à 7.5.0 UP10 | ||
| IBM | N/A | Storage Protect Server versions 8.1.x antérieures à 8.1.24 | ||
| IBM | N/A | Robotic Process Automation pour Cloud Pak versions 23.0.x antérieures à 23.0.18 | ||
| IBM | N/A | QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP10 | ||
| IBM | N/A | Robotic Process Automation versions 21.0..0.x antérieures à 21.0.7.18 | ||
| IBM | N/A | Robotic Process Automation versions 23.0.x antérieures à 23.0.18 | ||
| IBM | N/A | Robotic Process Automation pour Cloud Pak versions 21.0.0.x antérieures à 21.0.7.18 | ||
| IBM | N/A | QRadar Network Capture versions 7.5.x antérieures à 7.5.0 Update Package 10 |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WebSphere Application Server Liberty versions 20.0.12 \u00e0 24.0.0.10 sans le correctif de s\u00e9curit\u00e9 PH63533 ou ant\u00e9rieures \u00e0 24.0.0.11 (disponibilit\u00e9 pr\u00e9vue pour le dernier trimestre 2024)",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Incident Forensics versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP10",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect Server versions 8.1.x ant\u00e9rieures \u00e0 8.1.24",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Robotic Process Automation pour Cloud Pak versions 23.0.x ant\u00e9rieures \u00e0 23.0.18",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP10",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Robotic Process Automation versions 21.0..0.x ant\u00e9rieures \u00e0 21.0.7.18",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Robotic Process Automation versions 23.0.x ant\u00e9rieures \u00e0 23.0.18",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Robotic Process Automation pour Cloud Pak versions 21.0.0.x ant\u00e9rieures \u00e0 21.0.7.18",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Network Capture versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 Update Package 10",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-37370",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37370"
},
{
"name": "CVE-2023-25577",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25577"
},
{
"name": "CVE-2023-37536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37536"
},
{
"name": "CVE-2023-52675",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52675"
},
{
"name": "CVE-2024-26656",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26656"
},
{
"name": "CVE-2024-37891",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
},
{
"name": "CVE-2024-26974",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26974"
},
{
"name": "CVE-2022-48468",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48468"
},
{
"name": "CVE-2023-20592",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20592"
},
{
"name": "CVE-2018-1311",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1311"
},
{
"name": "CVE-2024-26585",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26585"
},
{
"name": "CVE-2024-23944",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23944"
},
{
"name": "CVE-2024-27397",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27397"
},
{
"name": "CVE-2020-25219",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25219"
},
{
"name": "CVE-2024-35854",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35854"
},
{
"name": "CVE-2024-28757",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28757"
},
{
"name": "CVE-2023-52878",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52878"
},
{
"name": "CVE-2023-45853",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45853"
},
{
"name": "CVE-2023-45178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45178"
},
{
"name": "CVE-2024-5564",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5564"
},
{
"name": "CVE-2023-23934",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23934"
},
{
"name": "CVE-2021-42771",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42771"
},
{
"name": "CVE-2023-52669",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52669"
},
{
"name": "CVE-2024-31881",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31881"
},
{
"name": "CVE-2024-36004",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36004"
},
{
"name": "CVE-2024-26859",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26859"
},
{
"name": "CVE-2022-38725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38725"
},
{
"name": "CVE-2024-35959",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35959"
},
{
"name": "CVE-2024-35855",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35855"
},
{
"name": "CVE-2024-31880",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31880"
},
{
"name": "CVE-2024-29025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
},
{
"name": "CVE-2024-26801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26801"
},
{
"name": "CVE-2024-36007",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36007"
},
{
"name": "CVE-2021-47311",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47311"
},
{
"name": "CVE-2024-28762",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28762"
},
{
"name": "CVE-2021-45429",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45429"
},
{
"name": "CVE-2024-25629",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25629"
},
{
"name": "CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"name": "CVE-2024-35852",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35852"
},
{
"name": "CVE-2020-7212",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7212"
},
{
"name": "CVE-2023-52781",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52781"
},
{
"name": "CVE-2024-35845",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35845"
},
{
"name": "CVE-2021-47073",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47073"
},
{
"name": "CVE-2024-26804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26804"
},
{
"name": "CVE-2024-28786",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28786"
},
{
"name": "CVE-2023-52686",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52686"
},
{
"name": "CVE-2021-47236",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47236"
},
{
"name": "CVE-2024-35890",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35890"
},
{
"name": "CVE-2024-22195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
},
{
"name": "CVE-2023-52877",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52877"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2023-6349",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6349"
},
{
"name": "CVE-2023-45803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
},
{
"name": "CVE-2024-32487",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32487"
},
{
"name": "CVE-2024-26826",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26826"
},
{
"name": "CVE-2024-26583",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26583"
},
{
"name": "CVE-2024-35888",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35888"
},
{
"name": "CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"name": "CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"name": "CVE-2023-52700",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52700"
},
{
"name": "CVE-2023-46136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46136"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2021-47495",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47495"
},
{
"name": "CVE-2024-26675",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26675"
},
{
"name": "CVE-2024-26906",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26906"
},
{
"name": "CVE-2024-26584",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26584"
},
{
"name": "CVE-2023-31346",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31346"
},
{
"name": "CVE-2024-5197",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5197"
},
{
"name": "CVE-2023-43804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
},
{
"name": "CVE-2024-35835",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35835"
},
{
"name": "CVE-2024-26735",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26735"
},
{
"name": "CVE-2023-52881",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52881"
},
{
"name": "CVE-2021-46972",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46972"
},
{
"name": "CVE-2020-26137",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26137"
},
{
"name": "CVE-2023-29267",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29267"
},
{
"name": "CVE-2023-52667",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52667"
},
{
"name": "CVE-2023-52703",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52703"
},
{
"name": "CVE-2022-48624",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48624"
},
{
"name": "CVE-2024-26759",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26759"
},
{
"name": "CVE-2023-52464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52464"
},
{
"name": "CVE-2023-52813",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52813"
},
{
"name": "CVE-2024-35838",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35838"
},
{
"name": "CVE-2023-52615",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52615"
},
{
"name": "CVE-2023-52560",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52560"
},
{
"name": "CVE-2024-3651",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3651"
},
{
"name": "CVE-2022-46329",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46329"
},
{
"name": "CVE-2021-47069",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47069"
},
{
"name": "CVE-2020-26154",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26154"
},
{
"name": "CVE-2024-35960",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35960"
},
{
"name": "CVE-2023-30861",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30861"
},
{
"name": "CVE-2023-2953",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2953"
},
{
"name": "CVE-2020-26555",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26555"
},
{
"name": "CVE-2024-35789",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35789"
},
{
"name": "CVE-2023-52835",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52835"
},
{
"name": "CVE-2023-32681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
},
{
"name": "CVE-2024-26982",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26982"
},
{
"name": "CVE-2021-47310",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47310"
},
{
"name": "CVE-2023-52626",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52626"
},
{
"name": "CVE-2024-35958",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35958"
},
{
"name": "CVE-2024-22354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
},
{
"name": "CVE-2021-47456",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47456"
},
{
"name": "CVE-2024-28752",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28752"
},
{
"name": "CVE-2021-47356",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47356"
},
{
"name": "CVE-2024-28182",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28182"
},
{
"name": "CVE-2021-47353",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47353"
},
{
"name": "CVE-2024-37371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37371"
},
{
"name": "CVE-2023-5090",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5090"
},
{
"name": "CVE-2024-27410",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27410"
},
{
"name": "CVE-2021-46909",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46909"
},
{
"name": "CVE-2024-35853",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35853"
},
{
"name": "CVE-2024-26907",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26907"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0903",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2024-10-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7173421",
"url": "https://www.ibm.com/support/pages/node/7173421"
},
{
"published_at": "2024-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7173043",
"url": "https://www.ibm.com/support/pages/node/7173043"
},
{
"published_at": "2024-10-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7173420",
"url": "https://www.ibm.com/support/pages/node/7173420"
},
{
"published_at": "2024-10-16",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7173226",
"url": "https://www.ibm.com/support/pages/node/7173226"
},
{
"published_at": "2024-10-16",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7173224",
"url": "https://www.ibm.com/support/pages/node/7173224"
},
{
"published_at": "2024-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7173097",
"url": "https://www.ibm.com/support/pages/node/7173097"
}
]
}
CERTFR-2025-AVI-0356
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Splunk User Behavior Analytics (UBA). Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Splunk | Splunk User Behavior Analytics (UBA) | Splunk User Behavior Analytics (UBA) versions 5.4.x antérieures à 5.4.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Splunk User Behavior Analytics (UBA) versions 5.4.x ant\u00e9rieures \u00e0 5.4.2",
"product": {
"name": "Splunk User Behavior Analytics (UBA)",
"vendor": {
"name": "Splunk",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-37891",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
},
{
"name": "CVE-2024-43799",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43799"
},
{
"name": "CVE-2022-40897",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
},
{
"name": "CVE-2024-45590",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45590"
},
{
"name": "CVE-2024-43796",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43796"
},
{
"name": "CVE-2023-45803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
},
{
"name": "CVE-2023-43804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
},
{
"name": "CVE-2020-26137",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26137"
},
{
"name": "CVE-2024-43800",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43800"
},
{
"name": "CVE-2019-11236",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11236"
},
{
"name": "CVE-2024-3651",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3651"
},
{
"name": "CVE-2022-40898",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40898"
},
{
"name": "CVE-2024-6345",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0356",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-04-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk User Behavior Analytics (UBA). Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Splunk User Behavior Analytics (UBA)",
"vendor_advisories": [
{
"published_at": "2025-04-29",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2025-0418",
"url": "https://advisory.splunk.com/advisories/SVD-2025-0418"
}
]
}
CERTFR-2026-AVI-0395
Vulnerability from certfr_avis - Published: 2026-04-03 - Updated: 2026-04-03
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | WebSphere | WebSphere eXtreme Scale versions 8.6.1.x sans le correctif de sécurité PH70422 | ||
| IBM | QRadar SIEM | QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP15 IF01 | ||
| IBM | WebSphere Automation | WebSphere Automation versions antérieures à 1.12.0 | ||
| IBM | Storage Protect | Storage Protect Plus Server versions 10.1.x antérieures à 10.1.18 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WebSphere eXtreme Scale versions 8.6.1.x sans le correctif de s\u00e9curit\u00e9 PH70422",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP15 IF01",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Automation versions ant\u00e9rieures \u00e0 1.12.0",
"product": {
"name": "WebSphere Automation",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect Plus Server versions 10.1.x ant\u00e9rieures \u00e0 10.1.18",
"product": {
"name": "Storage Protect",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-26007",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26007"
},
{
"name": "CVE-2025-40064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40064"
},
{
"name": "CVE-2025-31651",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31651"
},
{
"name": "CVE-2021-3200",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3200"
},
{
"name": "CVE-2023-40217",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40217"
},
{
"name": "CVE-2026-21933",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21933"
},
{
"name": "CVE-2026-21932",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21932"
},
{
"name": "CVE-2024-42316",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42316"
},
{
"name": "CVE-2023-3006",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3006"
},
{
"name": "CVE-2026-27205",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27205"
},
{
"name": "CVE-2017-18342",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18342"
},
{
"name": "CVE-2024-37891",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
},
{
"name": "CVE-2021-3733",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3733"
},
{
"name": "CVE-2022-2255",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2255"
},
{
"name": "CVE-2019-20477",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20477"
},
{
"name": "CVE-2022-48468",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48468"
},
{
"name": "CVE-2020-1747",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1747"
},
{
"name": "CVE-2024-38286",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38286"
},
{
"name": "CVE-2024-43898",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43898"
},
{
"name": "CVE-2019-20907",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20907"
},
{
"name": "CVE-2021-44568",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44568"
},
{
"name": "CVE-2021-3572",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3572"
},
{
"name": "CVE-2020-14343",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14343"
},
{
"name": "CVE-2021-33929",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33929"
},
{
"name": "CVE-2021-23336",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23336"
},
{
"name": "CVE-2019-9947",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9947"
},
{
"name": "CVE-2018-20852",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20852"
},
{
"name": "CVE-2024-5629",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5629"
},
{
"name": "CVE-2021-28957",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28957"
},
{
"name": "CVE-2024-6232",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6232"
},
{
"name": "CVE-2025-69419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69419"
},
{
"name": "CVE-2025-24813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24813"
},
{
"name": "CVE-2022-45061",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
},
{
"name": "CVE-2021-33503",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33503"
},
{
"name": "CVE-2021-46877",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46877"
},
{
"name": "CVE-2021-42771",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42771"
},
{
"name": "CVE-2025-71085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71085"
},
{
"name": "CVE-2025-55752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55752"
},
{
"name": "CVE-2021-33928",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33928"
},
{
"name": "CVE-2022-48565",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48565"
},
{
"name": "CVE-2020-26116",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26116"
},
{
"name": "CVE-2018-18074",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18074"
},
{
"name": "CVE-2020-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10735"
},
{
"name": "CVE-2018-20060",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20060"
},
{
"name": "CVE-2022-40897",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
},
{
"name": "CVE-2024-27398",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27398"
},
{
"name": "CVE-2019-9636",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9636"
},
{
"name": "CVE-2026-21925",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21925"
},
{
"name": "CVE-2019-11340",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11340"
},
{
"name": "CVE-2026-21860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21860"
},
{
"name": "CVE-2023-27043",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27043"
},
{
"name": "CVE-2025-8194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8194"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2024-23672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
},
{
"name": "CVE-2025-50181",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-50181"
},
{
"name": "CVE-2026-23074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23074"
},
{
"name": "CVE-2025-55754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55754"
},
{
"name": "CVE-2024-22195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
},
{
"name": "CVE-2023-23931",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23931"
},
{
"name": "CVE-2024-56337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56337"
},
{
"name": "CVE-2022-42919",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42919"
},
{
"name": "CVE-2024-0450",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0450"
},
{
"name": "CVE-2019-9948",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9948"
},
{
"name": "CVE-2026-1188",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1188"
},
{
"name": "CVE-2024-43823",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43823"
},
{
"name": "CVE-2023-45803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
},
{
"name": "CVE-2025-61795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61795"
},
{
"name": "CVE-2026-27199",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27199"
},
{
"name": "CVE-2021-4189",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4189"
},
{
"name": "CVE-2021-29921",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29921"
},
{
"name": "CVE-2025-52520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52520"
},
{
"name": "CVE-2021-3426",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3426"
},
{
"name": "CVE-2025-12818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12818"
},
{
"name": "CVE-2025-38129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38129"
},
{
"name": "CVE-2019-9740",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9740"
},
{
"name": "CVE-2019-20916",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20916"
},
{
"name": "CVE-2026-23001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23001"
},
{
"name": "CVE-2021-3737",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3737"
},
{
"name": "CVE-2024-42294",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42294"
},
{
"name": "CVE-2021-33930",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33930"
},
{
"name": "CVE-2023-43804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
},
{
"name": "CVE-2020-27619",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27619"
},
{
"name": "CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"name": "CVE-2020-8492",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8492"
},
{
"name": "CVE-2022-48560",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48560"
},
{
"name": "CVE-2019-18874",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-18874"
},
{
"name": "CVE-2025-49124",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49124"
},
{
"name": "CVE-2025-8869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8869"
},
{
"name": "CVE-2021-3177",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3177"
},
{
"name": "CVE-2024-34750",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34750"
},
{
"name": "CVE-2020-26137",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26137"
},
{
"name": "CVE-2021-20270",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20270"
},
{
"name": "CVE-2019-11324",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11324"
},
{
"name": "CVE-2024-46759",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46759"
},
{
"name": "CVE-2024-28863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
},
{
"name": "CVE-2019-11236",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11236"
},
{
"name": "CVE-2026-21945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21945"
},
{
"name": "CVE-2024-36880",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36880"
},
{
"name": "CVE-2019-16056",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16056"
},
{
"name": "CVE-2024-43820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43820"
},
{
"name": "CVE-2024-43821",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43821"
},
{
"name": "CVE-2024-3651",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3651"
},
{
"name": "CVE-2023-24329",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24329"
},
{
"name": "CVE-2025-53506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53506"
},
{
"name": "CVE-2025-31650",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31650"
},
{
"name": "CVE-2024-4032",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4032"
},
{
"name": "CVE-2024-50067",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50067"
},
{
"name": "CVE-2023-32681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
},
{
"name": "CVE-2024-50379",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50379"
},
{
"name": "CVE-2025-14847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14847"
},
{
"name": "CVE-2015-20107",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-20107"
},
{
"name": "CVE-2024-42321",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42321"
},
{
"name": "CVE-2024-52317",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52317"
},
{
"name": "CVE-2026-23097",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23097"
},
{
"name": "CVE-2020-28493",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28493"
},
{
"name": "CVE-2020-27783",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27783"
},
{
"name": "CVE-2019-7548",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7548"
},
{
"name": "CVE-2020-14422",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14422"
},
{
"name": "CVE-2024-52316",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52316"
},
{
"name": "CVE-2021-33938",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33938"
},
{
"name": "CVE-2023-6597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6597"
},
{
"name": "CVE-2021-43818",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43818"
},
{
"name": "CVE-2019-16935",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16935"
},
{
"name": "CVE-2025-68800",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68800"
},
{
"name": "CVE-2021-27291",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27291"
},
{
"name": "CVE-2019-7164",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7164"
},
{
"name": "CVE-2021-43618",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43618"
},
{
"name": "CVE-2025-38248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38248"
},
{
"name": "CVE-2024-6923",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6923"
},
{
"name": "CVE-2024-8088",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8088"
}
],
"initial_release_date": "2026-04-03T00:00:00",
"last_revision_date": "2026-04-03T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0395",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-03T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2026-03-31",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7268179",
"url": "https://www.ibm.com/support/pages/node/7268179"
},
{
"published_at": "2026-03-26",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7267689",
"url": "https://www.ibm.com/support/pages/node/7267689"
},
{
"published_at": "2026-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7268331",
"url": "https://www.ibm.com/support/pages/node/7268331"
},
{
"published_at": "2026-03-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7267801",
"url": "https://www.ibm.com/support/pages/node/7267801"
}
]
}
cleanstart-2026-sv37938
Vulnerability from cleanstart
Published
2026-05-18 13:25
Modified
2026-05-12 11:50
Summary
Security fixes for CVE-2020-26137 applied in versions: 1.25.9-r0, 1.26.17-r0, 1.26.18-r0, 1.26.4-r0
Details
Security vulnerability affects the py3-urllib3 package. This issue is resolved in later releases. See references for vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "py3-urllib3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Security vulnerability affects the py3-urllib3 package. This issue is resolved in later releases. See references for vulnerability details.",
"id": "CLEANSTART-2026-SV37938",
"modified": "2026-05-12T11:50:08Z",
"published": "2026-05-18T13:25:11.669978Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-SV37938.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-26137"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26137"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2020-26137 applied in versions: 1.25.9-r0, 1.26.17-r0, 1.26.18-r0, 1.26.4-r0",
"upstream": [
"CVE-2020-26137"
]
}
FKIE_CVE-2020-26137
Vulnerability from fkie_nvd - Published: 2020-09-30 18:15 - Updated: 2026-06-17 03:07
Severity
Summary
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| python | urllib3 | * | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| debian | debian_linux | 9.0 | |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | 22.2.0 | |
| oracle | zfs_storage_appliance_kit | 8.8 |
{
"affected": [
{
"affectedData": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"source": "cve@mitre.org"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3EF5A26A-E388-4422-933C-6E2028A1C158",
"versionEndExcluding": "1.25.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4B77BFB7-C105-4A42-A9A4-45EF4EC8556F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
},
{
"lang": "es",
"value": "urllib3 versiones anteriores a 1.25.9, permite una inyecci\u00f3n de CRLF si el atacante controla el m\u00e9todo de petici\u00f3n HTTP, como es demostrado al insertar caracteres de control CR y LF en el primer argumento de la funci\u00f3n putrequest().\u0026#xa0;NOTA: esto es similar a CVE-2020-26116"
}
],
"id": "CVE-2020-26137",
"lastModified": "2026-06-17T03:07:39.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-30T18:15:26.773",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.python.org/issue39603"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.python.org/issue39603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-WQVQ-5M8C-6G24
Vulnerability from github – Published: 2021-06-18 18:46 – Updated: 2024-11-18 22:42
VLAI
Summary
CRLF injection in urllib3
Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Severity
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "urllib3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26137"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-17T22:13:47Z",
"nvd_published_at": "2020-09-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of `putrequest()`. NOTE: this is similar to CVE-2020-26116.",
"id": "GHSA-wqvq-5m8c-6g24",
"modified": "2024-11-18T22:42:10Z",
"published": "2021-06-18T18:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26137"
},
{
"type": "WEB",
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"type": "WEB",
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue39603"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2020-148.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/urllib3/urllib3"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4570-1"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CRLF injection in urllib3"
}
GSD-2020-26137
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-26137",
"description": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"id": "GSD-2020-26137",
"references": [
"https://www.suse.com/security/cve/CVE-2020-26137.html",
"https://access.redhat.com/errata/RHSA-2021:1761",
"https://access.redhat.com/errata/RHSA-2021:1631",
"https://access.redhat.com/errata/RHSA-2021:0079",
"https://access.redhat.com/errata/RHSA-2021:0034",
"https://access.redhat.com/errata/RHSA-2020:4299",
"https://ubuntu.com/security/CVE-2020-26137",
"https://advisories.mageia.org/CVE-2020-26137.html",
"https://linux.oracle.com/cve/CVE-2020-26137.html",
"https://access.redhat.com/errata/RHSA-2022:5235"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-26137"
],
"details": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"id": "GSD-2020-26137",
"modified": "2023-12-13T01:22:08.747642Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.python.org/issue39603",
"refsource": "MISC",
"url": "https://bugs.python.org/issue39603"
},
{
"name": "https://github.com/urllib3/urllib3/pull/1800",
"refsource": "MISC",
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"name": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b",
"refsource": "MISC",
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "USN-4570-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.25.9",
"affected_versions": "All versions before 1.25.9",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2021-12-07",
"description": "urllib3 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting `CR` and `LF` control characters in the first argument of `putrequest()`. NOTE: this is similar to CVE-2020-26116.",
"fixed_versions": [
"1.25.9"
],
"identifier": "CVE-2020-26137",
"identifiers": [
"CVE-2020-26137"
],
"not_impacted": "All versions starting from 1.25.9",
"package_slug": "pypi/urllib3",
"pubdate": "2020-09-30",
"solution": "Upgrade to version 1.25.9 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-26137",
"https://bugs.python.org/issue39603"
],
"uuid": "6801dbac-c618-4270-84f5-c8d5e7b7542e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.25.9",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26137"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.python.org/issue39603",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.python.org/issue39603"
},
{
"name": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "https://github.com/urllib3/urllib3/pull/1800",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"name": "USN-4570-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "N/A",
"refsource": "N/A",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5
}
},
"lastModifiedDate": "2023-10-08T14:15Z",
"publishedDate": "2020-09-30T18:15Z"
}
}
}
MSRC_CVE-2020-26137
Vulnerability from csaf_microsoft - Published: 2020-09-02 00:00 - Updated: 2020-12-21 00:00Summary
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 16991-16820 | — |
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 16820-2 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-1 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2020/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2020/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2020-26137 urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2020/msrc_cve-2020-26137.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"tracking": {
"current_release_date": "2020-12-21T00:00:00.000Z",
"generator": {
"date": "2025-10-19T18:07:00.391Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2020-26137",
"initial_release_date": "2020-09-02T00:00:00.000Z",
"revision_history": [
{
"date": "2020-12-21T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0",
"product_id": "16820"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 python-urllib3 1.25.9-2",
"product": {
"name": "\u003ccm1 python-urllib3 1.25.9-2",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cm1 python-urllib3 1.25.9-2",
"product": {
"name": "cm1 python-urllib3 1.25.9-2",
"product_id": "16991"
}
}
],
"category": "product_name",
"name": "python-urllib3"
},
{
"category": "product_name",
"name": "cbl2 python-virtualenv 20.26.6-1",
"product": {
"name": "cbl2 python-virtualenv 20.26.6-1",
"product_id": "1"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 python-urllib3 1.25.9-2 as a component of CBL Mariner 1.0",
"product_id": "16820-2"
},
"product_reference": "2",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 python-urllib3 1.25.9-2 as a component of CBL Mariner 1.0",
"product_id": "16991-16820"
},
"product_reference": "16991",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 python-virtualenv 20.26.6-1 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"flags": [
{
"label": "vulnerable_code_not_in_execute_path",
"product_ids": [
"17086-1"
]
}
],
"notes": [
{
"category": "general",
"text": "mitre",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"16991-16820"
],
"known_affected": [
"16820-2"
],
"known_not_affected": [
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2020-26137 urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2020/msrc_cve-2020-26137.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2020-12-21T00:00:00.000Z",
"details": "1.25.9-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"16820-2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalsScore": 0.0,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"16820-2"
]
}
],
"title": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
]
}
OPENSUSE-SU-2020:2237-1
Vulnerability from csaf_opensuse - Published: 2020-12-13 05:24 - Updated: 2020-12-13 05:24Summary
Security update for python-urllib3
Severity
Moderate
Notes
Title of the patch: Security update for python-urllib3
Description of the patch: This update for python-urllib3 fixes the following issues:
- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patchnames: openSUSE-2020-2237
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-urllib3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-urllib3 fixes the following issues:\n\n- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).\t \n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-2237",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_2237-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:2237-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3Y5UAWOTOHQRGI2VNSOUDC2SOAHGJLAH/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:2237-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3Y5UAWOTOHQRGI2VNSOUDC2SOAHGJLAH/"
},
{
"category": "self",
"summary": "SUSE Bug 1177120",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-26137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-26137/"
}
],
"title": "Security update for python-urllib3",
"tracking": {
"current_release_date": "2020-12-13T05:24:04Z",
"generator": {
"date": "2020-12-13T05:24:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:2237-1",
"initial_release_date": "2020-12-13T05:24:04Z",
"revision_history": [
{
"date": "2020-12-13T05:24:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-urllib3-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python2-urllib3-1.24-lp152.5.3.1.noarch",
"product_id": "python2-urllib3-1.24-lp152.5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"product_id": "python2-urllib3-test-1.24-lp152.5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-urllib3-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python3-urllib3-1.24-lp152.5.3.1.noarch",
"product_id": "python3-urllib3-1.24-lp152.5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-urllib3-test-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python3-urllib3-test-1.24-lp152.5.3.1.noarch",
"product_id": "python3-urllib3-test-1.24-lp152.5.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-urllib3-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python2-urllib3-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-urllib3-test-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-urllib3-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python3-urllib3-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-urllib3-test-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python3-urllib3-test-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-26137"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-26137",
"url": "https://www.suse.com/security/cve/CVE-2020-26137"
},
{
"category": "external",
"summary": "SUSE Bug 1177120 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "external",
"summary": "SUSE Bug 1177211 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-12-13T05:24:04Z",
"details": "moderate"
}
],
"title": "CVE-2020-26137"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…