CVE-2019-18348: CRLF Injection
First published: Thu Jul 04 2019(Updated: )
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-python36-python | <0:3.6.12-1.el6 | 0:3.6.12-1.el6 |
| redhat/rh-python36-python-pip | <0:9.0.1-5.el6 | 0:9.0.1-5.el6 |
| redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el6 | 0:15.1.0-3.el6 |
| redhat/python27-python | <0:2.7.18-2.el7 | 0:2.7.18-2.el7 |
| redhat/python27-python-pip | <0:8.1.2-6.el7 | 0:8.1.2-6.el7 |
| redhat/python27-python-virtualenv | <0:13.1.0-4.el7 | 0:13.1.0-4.el7 |
| redhat/rh-python36-python | <0:3.6.12-1.el7 | 0:3.6.12-1.el7 |
| redhat/rh-python36-python-pip | <0:9.0.1-5.el7 | 0:9.0.1-5.el7 |
| redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el7 | 0:15.1.0-3.el7 |
| Python Python | >=2.0<=2.7.17 | |
| Python Python | >=3.0<3.5.10 | |
| Python Python | >=3.6.0<3.6.11 | |
| Python Python | >=3.7.0<3.7.8 | |
| Python Python | >=3.8.0<3.8.3 | |
| debian/python2.7 | 2.7.18-8+deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-18348 https://nvd.nist.gov/vuln/detail/CVE-2019-18348
- https://bugzilla.redhat.com/show_bug.cgi?id=1727276
- https://access.redhat.com/errata/RHSA-2020:4285
- https://access.redhat.com/errata/RHSA-2020:4273
- https://access.redhat.com/security/cve/cve-2019-18348
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html
- https://bugs.python.org/issue30458#msg347282
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/
- https://security.netapp.com/advisory/ntap-20191107-0004/
- https://usn.ubuntu.com/4333-1/
- https://usn.ubuntu.com/4333-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://launchpad.net/bugs/cve/CVE-2019-18348
- https://access.redhat.com/security/cve/CVE-2019-9947
- https://access.redhat.com/security/cve/CVE-2016-10739
- http://server:7777/my/path?query
- https://bugs.python.org/issue38576
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765145
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765146
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765138
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765139
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765140
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765141
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765142
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765143
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1765144
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/
- https://github.com/python/cpython/commit/9165addc22d05e776a54319a8531ebd0b2fe01ef
- https://github.com/python/cpython/commit/ff69c9d12c1b06af58e5eae5db4630cedd94740e
- https://github.com/python/cpython/commit/34f85af3229f86c004a954c3f261ceea1f5e9f95
- https://github.com/python/cpython/commit/09d8172837b6985c4ad90ee025f6b5a554a9f0ac
- https://github.com/python/cpython/commit/e176e0c105786e9f476758eb5438c57223b65e7f
- https://security-tracker.debian.org/tracker/CVE-2019-18348
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348
- https://nvd.nist.gov/vuln/detail/CVE-2019-18348
- https://ubuntu.com/security/CVE-2019-18348
Frequently Asked Questions
What is CVE-2019-18348?
CVE-2019-18348 is a CRLF injection vulnerability in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0.
What is the severity of CVE-2019-18348?
The severity of CVE-2019-18348 is medium with a CVSS score of 6.5.
How can an attacker exploit CVE-2019-18348?
An attacker can exploit CVE-2019-18348 by controlling a URL parameter to perform CRLF injection.
Which versions of Python are affected by CVE-2019-18348?
Python 2.x through 2.7.17 and Python 3.x through 3.8.0 are affected by CVE-2019-18348.
Is there a fix for CVE-2019-18348?
Yes, the fix for CVE-2019-18348 is available in the respective Python versions: 2.7.18 and 3.8.1.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-18348
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/python
- canonical/python python
- version/python python/2.0
- version/python python/2.7.17
- version/python python/3.0
- version/python python/3.6.0
- version/python python/3.7.0
- version/python python/3.8.0
- package-manager/debian