pysec - pysec-2020-46

pysec-2020-46

Vulnerability from pysec

Published

2020-05-20 16:15

Modified

2020-08-19 18:56

Details

In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "httplib2",
        "purl": "pkg:pypi/httplib2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "a1457cc31f3206cf691d11d2bf34e98865873e9e"
            }
          ],
          "repo": "https://github.com/httplib2/httplib2",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.8",
        "0.9",
        "0.9.1",
        "0.9.2",
        "0.10.3",
        "0.11.0",
        "0.11.1",
        "0.11.3",
        "0.12.0",
        "0.12.1",
        "0.12.3",
        "0.13.0",
        "0.13.1",
        "0.14.0",
        "0.15.0",
        "0.16.0",
        "0.17.0",
        "0.17.1",
        "0.17.2",
        "0.17.3",
        "0.17.4"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11078",
    "GHSA-gg84-qgv9-w4pq"
  ],
  "details": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
  "id": "PYSEC-2020-46",
  "modified": "2020-08-19T18:56:00Z",
  "published": "2020-05-20T16:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
    }
  ]
}

ghsa-gg84-qgv9-w4pq

Vulnerability from github

Published

2020-05-20 15:55

Modified

2024-09-20 21:55

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Summary

CRLF injection in httplib2

Details

Impact

Attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server.

Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.

Patches

Problem has been fixed in 0.18.0 Space, CR, LF characters are now quoted before any use. This solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.

Workarounds

Create URI with urllib.parse family functions: urlencode, urlunsplit.

diff user_input = " HTTP/1.1\r\ninjected: attack\r\nignore-http:" -uri = "https://api.server/?q={}".format(user_input) +uri = urllib.parse.urlunsplit(("https", "api.server", "/v1", urllib.parse.urlencode({"q": user_input}), "")) http.request(uri)

References

https://cwe.mitre.org/data/definitions/93.html https://docs.python.org/3/library/urllib.parse.html

Thanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.

For more information

If you have any questions or comments about this advisory: * Open an issue in httplib2 * Email current maintainer at 2020-05

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "httplib2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-20T15:55:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nAttacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server.\n\nImpacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.\n\n### Patches\nProblem has been fixed in 0.18.0\nSpace, CR, LF characters are now quoted before any use.\nThis solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.\n\n### Workarounds\nCreate URI with `urllib.parse` family functions: `urlencode`, `urlunsplit`.\n\n```diff\nuser_input = \" HTTP/1.1\\r\\ninjected: attack\\r\\nignore-http:\"\n-uri = \"https://api.server/?q={}\".format(user_input)\n+uri = urllib.parse.urlunsplit((\"https\", \"api.server\", \"/v1\", urllib.parse.urlencode({\"q\": user_input}), \"\"))\nhttp.request(uri)\n```\n\n### References\nhttps://cwe.mitre.org/data/definitions/93.html\nhttps://docs.python.org/3/library/urllib.parse.html\n\nThanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new)\n* Email [current maintainer at 2020-05](mailto:temotor@gmail.com)",
  "id": "GHSA-gg84-qgv9-w4pq",
  "modified": "2024-09-20T21:55:12Z",
  "published": "2020-05-20T15:55:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11078"
    },
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/httplib2/httplib2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2020-46.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CRLF injection in httplib2"
}

cve-2020-11078

Vulnerability from cvelistv5

Published

2020-05-20 16:00

Modified

2024-08-04 11:21

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Summary

CRLF injection in httplib2

References

▼	URL	Tags
	https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq	x_refsource_CONFIRM
	https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e	x_refsource_MISC
	https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/	vendor-advisory, x_refsource_FEDORA
	https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

▼	Vendor	Product
	httplib2	httplib2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:21:14.627Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
          },
          {
            "name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
          },
          {
            "name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
          },
          {
            "name": "FEDORA-2020-a7a15a9687",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
          },
          {
            "name": "FEDORA-2020-37779a5c93",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
          },
          {
            "name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
          },
          {
            "name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
          },
          {
            "name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
          },
          {
            "name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "httplib2",
          "vendor": "httplib2",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.81.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-16T18:06:04",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
        },
        {
          "name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
        },
        {
          "name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
        },
        {
          "name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
        },
        {
          "name": "FEDORA-2020-a7a15a9687",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
        },
        {
          "name": "FEDORA-2020-37779a5c93",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
        },
        {
          "name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
        },
        {
          "name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
        },
        {
          "name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
        },
        {
          "name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
        }
      ],
      "source": {
        "advisory": "GHSA-gg84-qgv9-w4pq",
        "discovery": "UNKNOWN"
      },
      "title": "CRLF injection in httplib2",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-11078",
          "STATE": "PUBLIC",
          "TITLE": "CRLF injection in httplib2"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "httplib2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.81.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "httplib2"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
              "refsource": "CONFIRM",
              "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
            },
            {
              "name": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e",
              "refsource": "MISC",
              "url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
            },
            {
              "name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
            },
            {
              "name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
            },
            {
              "name": "FEDORA-2020-a7a15a9687",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
            },
            {
              "name": "FEDORA-2020-37779a5c93",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
            },
            {
              "name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
            },
            {
              "name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
            },
            {
              "name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
            },
            {
              "name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-gg84-qgv9-w4pq",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-11078",
    "datePublished": "2020-05-20T16:00:16",
    "dateReserved": "2020-03-30T00:00:00",
    "dateUpdated": "2024-08-04T11:21:14.627Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2020-46

Vulnerability from pysec

ghsa-gg84-qgv9-w4pq

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

cve-2020-11078

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature