CVE-2019-9947 — HTTP Request/Response Splitting in Python

CWE-113 — HTTP Request/Response Splitting CWE-74 — Injection CWE-93 — CRLF Injection31 documents8 sources

Severity

6.1MEDIUMNVD

OSV7.6OSV7.5OSV5.3

EPSS

1.2%

top 21.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Debian Python2.7 Msrc CBL Mariner 1.0 ARM +2 more

Timeline

PublishedMar 23

Latest updateJul 11

Description

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDpython/python3.0 — 3.5.10+8

▶debiandebian/python2.7< python2.7 2.7.18~rc1-1 (bullseye)+1

▶msrcmsrc/cm1_python3_3.7.10-3_on_cbl_mariner_1.0

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

Patches

Patch: bugs.python.org ↗Patch: bugs.python.org ↗

🔴Vulnerability Details

OSV

python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11

▶

GHSA

GHSA-v3f8-6665-x7rx: An issue was discovered in urllib2 in Python 2↗2022-05-24

▶

GHSA

GHSA-89ff-5r66-wr8j: An issue was discovered in urllib2 in Python 2↗2022-05-13

▶

OSV

CVE-2019-18348: An issue was discovered in urllib2 in Python 2↗2019-10-23

▶

OSV

python2.7, python3.4 vulnerabilities↗2019-09-10

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Red Hat

python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function↗2020-05-20

▶

Microsoft

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter as demonstrated by the first↗2019-10-08

▶

Ubuntu

Python vulnerabilities↗2019-09-10

▶

Ubuntu

Python vulnerabilities↗2019-09-09

▶

💬Community

Bugzilla

CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function↗2020-06-10

▶

Bugzilla

CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()↗2019-07-05

▶

Bugzilla

CVE-2019-9947 python3: python: improper neutralization of CRLF sequences in urllib module [fedora-all]↗2019-04-17

▶

Bugzilla

CVE-2019-9947 python3: python: improper neutralization of CRLF sequences in urllib module [fedora-all]↗2019-04-11

▶

Bugzilla

CVE-2019-9947 CVE-2019-9948 python37: various flaws [fedora-28]↗2019-04-11

▶