CVE-2022-0391

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Published: Feb 10, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-0391
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
python / python	3.10.0-alpha1	3.10.0-alpha1.x
python / python	3.10.0-alpha2	3.10.0-alpha2.x
python / python	3.10.0-alpha3	3.10.0-alpha3.x
python / python	3.10.0-alpha4	3.10.0-alpha4.x
python / python	3.10.0-alpha5	3.10.0-alpha5.x
python / python	3.10.0-alpha6	3.10.0-alpha6.x
python / python	3.9.0	3.9.5
python / python	3.8.0	3.8.11
python / python	3.7.0	3.7.11
python / python	-	3.6.14
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
oracle / http_server	12.2.1.3.0	12.2.1.3.0.x
oracle / http_server	12.2.1.4.0	12.2.1.4.0.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x

Vulnerability Database

289,599

CVE-2022-0391