CVE-2019-9740 — CRLF Injection in Python

CWE-93 — CRLF Injection CWE-113 — HTTP Request/Response Splitting CWE-74 — Injection35 documents8 sources

Severity

6.1MEDIUMNVD

OSV7.6OSV7.5OSV5.3

EPSS

9.9%

top 6.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Debian Python2.7 Msrc CBL Mariner 1.0 ARM +2 more

Timeline

PublishedMar 13

Latest updateJul 11

Description

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDpython/python2.0 — 2.7.17+9

▶debiandebian/python2.7< python2.7 2.7.16-3 (bullseye)+1

▶msrcmsrc/cm1_python3_3.7.10-3_on_cbl_mariner_1.0

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

🔴Vulnerability Details

OSV

python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11

▶

GHSA

GHSA-v3f8-6665-x7rx: An issue was discovered in urllib2 in Python 2↗2022-05-24

▶

GHSA

GHSA-89ff-5r66-wr8j: An issue was discovered in urllib2 in Python 2↗2022-05-13

▶

GHSA

GHSA-p3j2-v862-h3v3: An issue was discovered in urllib2 in Python 2↗2022-05-13

▶

OSV

CVE-2019-18348: An issue was discovered in urllib2 in Python 2↗2019-10-23

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Red Hat

python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function↗2020-05-20

▶

Microsoft

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter as demonstrated by the first↗2019-10-08

▶

Ubuntu

Python vulnerabilities↗2019-09-10

▶

Ubuntu

Python vulnerabilities↗2019-09-09

▶

💬Community

Bugzilla

CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function↗2020-06-10

▶

Bugzilla

CVE-2019-9740 python34: python: improper neutralization of CRLF sequences in urllib module [epel-all]↗2019-05-06

▶

Bugzilla

CVE-2019-9740 python34: python: improper neutralization of CRLF sequences in urllib module [fedora-all]↗2019-05-06

▶

Bugzilla

CVE-2019-9740 python35: python: improper neutralization of CRLF sequences in urllib module [fedora-all]↗2019-05-06

▶

Bugzilla

CVE-2019-9740 python3: python: improper neutralization of CRLF sequences in urllib module [fedora-all]↗2019-05-06

▶