First published: Thu Jul 04 2019(Updated: )
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-python36-python | <0:3.6.12-1.el6 | 0:3.6.12-1.el6 |
redhat/rh-python36-python-pip | <0:9.0.1-5.el6 | 0:9.0.1-5.el6 |
redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el6 | 0:15.1.0-3.el6 |
redhat/python27-python | <0:2.7.18-2.el7 | 0:2.7.18-2.el7 |
redhat/python27-python-pip | <0:8.1.2-6.el7 | 0:8.1.2-6.el7 |
redhat/python27-python-virtualenv | <0:13.1.0-4.el7 | 0:13.1.0-4.el7 |
redhat/rh-python36-python | <0:3.6.12-1.el7 | 0:3.6.12-1.el7 |
redhat/rh-python36-python-pip | <0:9.0.1-5.el7 | 0:9.0.1-5.el7 |
redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el7 | 0:15.1.0-3.el7 |
Python Python | >=2.0<=2.7.17 | |
Python Python | >=3.0<3.5.10 | |
Python Python | >=3.6.0<3.6.11 | |
Python Python | >=3.7.0<3.7.8 | |
Python Python | >=3.8.0<3.8.3 | |
ubuntu/python2.7 | <2.7.17-1~18.04ubuntu1 | 2.7.17-1~18.04ubuntu1 |
ubuntu/python2.7 | <2.7.6-8ubuntu0.6+ | 2.7.6-8ubuntu0.6+ |
ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.11 | 2.7.12-1ubuntu0~16.04.11 |
ubuntu/python3.4 | <3.4.3-1ubuntu1~14.04.7+ | 3.4.3-1ubuntu1~14.04.7+ |
ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.10 | 3.5.2-2ubuntu0~16.04.10 |
ubuntu/python3.6 | <3.6.9-1~18.04ubuntu1 | 3.6.9-1~18.04ubuntu1 |
ubuntu/python3.7 | <3.7.5-2~19.10ubuntu1 | 3.7.5-2~19.10ubuntu1 |
ubuntu/python3.8 | <3.8.2-1ubuntu1.1 | 3.8.2-1ubuntu1.1 |
ubuntu/python3.8 | <3.8.2-1ubuntu1.1 | 3.8.2-1ubuntu1.1 |
debian/python2.7 | <=2.7.16-2+deb10u1<=2.7.16-2+deb10u4 | 2.7.18-8+deb11u1 |
debian/python3.7 | <=3.7.3-2+deb10u3<=3.7.3-2+deb10u7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2019-18348 is a CRLF injection vulnerability in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0.
The severity of CVE-2019-18348 is medium with a CVSS score of 6.5.
An attacker can exploit CVE-2019-18348 by controlling a URL parameter to perform CRLF injection.
Python 2.x through 2.7.17 and Python 3.x through 3.8.0 are affected by CVE-2019-18348.
Yes, the fix for CVE-2019-18348 is available in the respective Python versions: 2.7.18 and 3.8.1.