← Back to CVEs
CVE-2020-26137
MEDIUM6.5
Description
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE Details
CVSS v3.1 Score6.5
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published9/30/2020
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
canonical:ubuntu_linuxdebian:debian_linuxoracle:communications_cloud_native_core_network_function_cloud_native_environmentoracle:zfs_storage_appliance_kitpython:urllib3
Weaknesses (CWE)
CWE-74
References
https://bugs.python.org/issue39603(cve@mitre.org)
https://github.com/urllib3/urllib3/pull/1800(cve@mitre.org)
https://usn.ubuntu.com/4570-1/(cve@mitre.org)
https://www.oracle.com/security-alerts/cpujul2022.html(cve@mitre.org)
https://www.oracle.com/security-alerts/cpuoct2021.html(cve@mitre.org)
https://bugs.python.org/issue39603(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/urllib3/urllib3/pull/1800(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html(af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4570-1/(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.