CRLF Injection Vulnerability in urllib3 Affecting Python
CVE-2020-26137

6.5MEDIUM

Key Information:

Vendor: Python
Status: Urllib3
Vendor: CVE Published:; 30 September 2020

What is CVE-2020-26137?

The vulnerability in urllib3 affects versions prior to 1.25.9, allowing attackers to exploit the handling of HTTP request methods. By inserting Carriage Return (CR) and Line Feed (LF) control characters into the initial argument of putrequest(), malicious users can manipulate HTTP requests, potentially leading to significant security breaches. The flaw is reminiscent of previous vulnerabilities, highlighting the importance of keeping libraries updated to safeguard web applications against request-based attacks.

References

https://bugs.python.org/issue39603

https://github.com/urllib3/urllib3/pull/1800

https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2020
Vulnerability Reserved
Sep 29, 2020