CVE-2022-0391Injection in Python

CWE-74InjectionCWE-20Improper Input Validation14 documents9 sources
Severity
7.5HIGHNVD
CISA9.8
EPSS
1.3%
top 20.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PythonFedoraproject FedoraOracle Http Server+1 more
Timeline
PublishedFeb 9
Latest updateJul 11

Description

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDpython/python3.7.03.7.11+4
CVEListV5python/pythonpython 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14
NVDoracle/http_server12.2.1.3.0, 12.2.1.4.0+1

Also affects: Fedora 34, 35

Patches

Patch: bugs.python.orgPatch: www.oracle.comPatch: bugs.python.org

🔴Vulnerability Details

6
OSV
python2.7 vulnerabilities2022-08-24
OSV
python3.7 vulnerability2022-05-23
OSV
python2.7, python3.4, python3.5, python3.6, python3.8 vulnerabilities2022-03-28
GHSA
GHSA-75jm-2xrg-5wpf: A flaw was found in Python, specifically within the urllib2022-02-11
CVEList
CVE-2022-0391: A flaw was found in Python, specifically within the urllib2022-02-09

📋Vendor Advisories

7
Ubuntu
Python vulnerabilities2024-07-11
Ubuntu
Python vulnerabilities2022-08-24
Ubuntu
Python vulnerabilities2022-03-28
Microsoft
A flaw was found in Python specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does 2022-02-08
CISA
Apache Struts 2 Improper Input Validation Vulnerability2022-01-21
CVE-2022-0391 — Injection in Python | cvebase