Severity
6.1MEDIUM
EPSS
0.6%
top 29.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 15
Latest updateMay 13
Description
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages4 packages
🔴Vulnerability Details
6📋Vendor Advisories
5Microsoft▶
In the urllib3 library through 1.24.1 for Python CRLF injection is possible if the attacker controls the request parameter.↗2019-04-09
Red Hat▶
python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service↗2019-03-13
Debian▶
CVE-2019-11236: python-urllib3 - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if ...↗2019
💬Community
9Bugzilla▶
CVE-2019-11236 python3-virtualenv: python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service [epel-7]↗2019-11-29
Bugzilla▶
CVE-2019-11236 python-virtualenv: python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service [epel-6]↗2019-11-29
Bugzilla▶
CVE-2019-11236 python-virtualenv: python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service [fedora-30]↗2019-11-29
Bugzilla▶
CVE-2019-11236 python-pip: python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service [epel-6]↗2019-11-21
Bugzilla▶
CVE-2019-11236 python-pip-epel: python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service [epel-7]↗2019-11-21