CVE-2020-26137

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Published: Sep 30, 2020
Updated: Oct 9, 2023
CVE: CVE-2020-26137
GHSA: GHSA-wqvq-5m8c-6g24
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
python / urllib3	-	1.25.9
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	16.04	16.04.x
debian / debian_linux	9.0	9.0.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x
oracle / communications_cloud_native_core_network_function_cloud_native_environment	22.2.0	22.2.0.x
urllib3	-	1.25.9

https://bugs.python.org/issue39603
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
https://github.com/urllib3/urllib3/pull/1800
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://usn.ubuntu.com/4570-1/
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerability Database

289,697

CVE-2020-26137