github - GHSA-wqvq-5m8c-6g24

GHSA-wqvq-5m8c-6g24

Vulnerability from github

Published

2021-06-18 18:46

Modified

2023-09-05 18:05

Severity

6.5 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

CRLF injection in urllib3

Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "urllib3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-17T22:13:47Z",
    "nvd_published_at": "2020-09-30T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of `putrequest()`. NOTE: this is similar to CVE-2020-26116.",
  "id": "GHSA-wqvq-5m8c-6g24",
  "modified": "2023-09-05T18:05:33Z",
  "published": "2021-06-18T18:46:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/urllib3/urllib3/pull/1800"
    },
    {
      "type": "WEB",
      "url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
    },
    {
      "type": "WEB",
      "url": "https://bugs.python.org/issue39603"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/urllib3/urllib3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4570-1"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CRLF injection in urllib3"
}

pysec-2020-148

Vulnerability from pysec

Published

2020-09-30 18:15

Modified

2020-10-14 05:15

Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "urllib3",
        "purl": "pkg:pypi/urllib3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
            }
          ],
          "repo": "https://github.com/urllib3/urllib3",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.2",
        "0.3",
        "0.3.1",
        "0.4.0",
        "0.4.1",
        "1.0",
        "1.0.1",
        "1.0.2",
        "1.1",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.3",
        "1.4",
        "1.5",
        "1.6",
        "1.7",
        "1.7.1",
        "1.8",
        "1.8.2",
        "1.8.3",
        "1.9",
        "1.9.1",
        "1.10",
        "1.10.1",
        "1.10.2",
        "1.10.3",
        "1.10.4",
        "1.11",
        "1.12",
        "1.13",
        "1.13.1",
        "1.14",
        "1.15",
        "1.15.1",
        "1.16",
        "1.17",
        "1.18",
        "1.18.1",
        "1.19",
        "1.19.1",
        "1.20",
        "1.21",
        "1.21.1",
        "1.22",
        "1.23",
        "1.24",
        "1.24.1",
        "1.24.2",
        "1.24.3",
        "1.25",
        "1.25.1",
        "1.25.2",
        "1.25.3",
        "1.25.4",
        "1.25.5",
        "1.25.6",
        "1.25.7",
        "1.25.8"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26137",
    "GHSA-wqvq-5m8c-6g24"
  ],
  "details": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
  "id": "PYSEC-2020-148",
  "modified": "2020-10-14T05:15:00Z",
  "published": "2020-09-30T18:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://bugs.python.org/issue39603"
    },
    {
      "type": "FIX",
      "url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/urllib3/urllib3/pull/1800"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4570-1/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-wqvq-5m8c-6g24"
    }
  ]
}

cve-2020-26137

Vulnerability from cvelistv5

Published

2020-09-29 00:00

Modified

2024-08-04 15:49

Severity

Summary

References

URL	Tags
https://bugs.python.org/issue39603
https://github.com/urllib3/urllib3/pull/1800
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
https://usn.ubuntu.com/4570-1/	vendor-advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html	mailing-list
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html	mailing-list

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:49:07.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.python.org/issue39603"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/pull/1800"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
          },
          {
            "name": "USN-4570-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4570-1/"
          },
          {
            "name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-08T13:06:22.131100",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.python.org/issue39603"
        },
        {
          "url": "https://github.com/urllib3/urllib3/pull/1800"
        },
        {
          "url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
        },
        {
          "name": "USN-4570-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4570-1/"
        },
        {
          "name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-26137",
    "datePublished": "2020-09-29T00:00:00",
    "dateReserved": "2020-09-29T00:00:00",
    "dateUpdated": "2024-08-04T15:49:07.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

GHSA-wqvq-5m8c-6g24

Vulnerability from github

pysec-2020-148

Vulnerability from pysec

cve-2020-26137

Vulnerability from cvelistv5

Tags