CVE-2020-26116 — Injection in Python
Severity
7.2HIGHNVD
EPSS
1.0%
top 22.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 27
Latest updateJul 11
Description
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7
Affected Packages3 packages
Also affects: Debian Linux 9.0, Fedora 31, 32, 33, Ubuntu Linux 12.04, 14.04, 16.04, 18.04
Patches
🔴Vulnerability Details
3📋Vendor Advisories
8Microsoft▶
http.client in Python 3.x before 3.5.10 3.6.x before 3.6.12 3.7.x before 3.7.9 and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by insertin↗2020-09-08
Microsoft▶
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this↗2020-09-08
💬Community
8Bugzilla▶
CVE-2020-26116 python27: python: CRLF injection via HTTP request method in httplib/http.client [fedora-all]↗2020-09-28
Bugzilla▶
CVE-2020-26116 python26: python: CRLF injection via HTTP request method in httplib/http.client [fedora-all]↗2020-09-28
Bugzilla▶
CVE-2020-26116 python2: python: CRLF injection via HTTP request method in httplib/http.client [fedora-all]↗2020-09-28
Bugzilla▶
CVE-2020-26116 python34: python: CRLF injection via HTTP request method in httplib/http.client [epel-all]↗2020-09-28