CVE-2019-11236: CRLF Injection
First published: Wed Mar 13 2019(Updated: )
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-urllib3 | <0:1.10.2-7.el7 | 0:1.10.2-7.el7 |
| redhat/python-pip | <0:9.0.3-7.el7_7 | 0:9.0.3-7.el7_7 |
| redhat/python-virtualenv | <0:15.1.0-4.el7_7 | 0:15.1.0-4.el7_7 |
| redhat/python-pip | <0:9.0.3-7.el7_8 | 0:9.0.3-7.el7_8 |
| redhat/python-virtualenv | <0:15.1.0-4.el7_8 | 0:15.1.0-4.el7_8 |
| redhat/python-pip | <0:9.0.3-16.el8 | 0:9.0.3-16.el8 |
| redhat/python-urllib3 | <0:1.24.2-2.el8 | 0:1.24.2-2.el8 |
| redhat/python-urllib3 | <0:1.24.3-1.el7 | 0:1.24.3-1.el7 |
| Python urllib3 | <=1.24.2 | |
| redhat/python-urllib3 | <1.24.3 | 1.24.3 |
| redhat/python-urllib3 | <1.25 | 1.25 |
| IBM Concert Software | <=1.0.0 - 1.0.1 | |
| pip/urllib3 | <=1.24.2 | 1.24.3 |
| debian/python-urllib3 | 1.26.5-1~exp1 1.26.12-1 2.2.3-4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-11236 https://nvd.nist.gov/vuln/detail/CVE-2019-11236
- https://bugzilla.redhat.com/show_bug.cgi?id=1700824
- https://access.redhat.com/errata/RHBA-2020:1539
- https://access.redhat.com/errata/RHBA-2020:1540
- https://access.redhat.com/errata/RHSA-2019:2272
- https://access.redhat.com/errata/RHSA-2020:0850
- https://access.redhat.com/errata/RHSA-2020:0851
- https://access.redhat.com/errata/RHSA-2020:2068
- https://access.redhat.com/errata/RHSA-2020:2081
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2020:1605
- https://access.redhat.com/errata/RHSA-2020:1916
- https://access.redhat.com/errata/RHSA-2019:3590
- https://access.redhat.com/errata/RHBA-2020:2804
- https://access.redhat.com/errata/RHBA-2020:2785
- https://access.redhat.com/security/cve/CVE-2019-11236
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
- https://github.com/urllib3/urllib3/issues/1553
- https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
- https://usn.ubuntu.com/3990-1/
- https://usn.ubuntu.com/3990-2/
- https://nvd.nist.gov/vuln/detail/CVE-2019-11236
- https://github.com/advisories/GHSA-r64q-w8jr-g9qp (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2019-132.yaml
- https://launchpad.net/bugs/cve/CVE-2019-11236
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
- https://bugs.python.org/issue36276
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1700825
- https://github.com/urllib3/urllib3/commit/0aa3e24fcd75f1bb59ab159e9f8adb44055b2271
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1707088
- https://access.redhat.com/security/cve/cve-2019-11236
- https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162
- https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1700824#c22
- https://access.redhat.com/security/cve/CVE-2019-9740
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1775364
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1775363
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1775365
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1778101
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1778100
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1778103
- https://security-tracker.debian.org/tracker/CVE-2019-11236
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236
- https://ubuntu.com/security/CVE-2019-11236
- https://www.ibm.com/support/pages/node/7173596 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2
- https://usn.ubuntu.com/3990-1
- https://usn.ubuntu.com/3990-2
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-11236?
CVE-2019-11236 is a vulnerability in the urllib3 library for Python that allows for CRLF injection if the attacker controls the request parameter.
What is the severity of CVE-2019-11236?
The severity of CVE-2019-11236 is medium with a CVSS score of 6.5.
How can I fix CVE-2019-11236?
To fix CVE-2019-11236, update your python-urllib3 package to version 1.24.3 or higher.
Where can I find more information about CVE-2019-11236?
You can find more information about CVE-2019-11236 in the following references: [Reference 1](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html), [Reference 2](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html), [Reference 3](https://access.redhat.com/errata/RHSA-2019:2272).
- collector/redhat-cve
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-11236
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/event
- collector/ibm-support
- source/IBM
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r64q-w8jr-g9qp
- agent/references
- collector/github-advisory
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- package-manager/redhat
- vendor/python
- canonical/python urllib3
- version/python urllib3/1.24.2
- vendor/ibm
- canonical/ibm concert software
- version/ibm concert software/1.0.0 - 1.0.1
- package-manager/pip
- package-manager/debian