CVE-2019-9740: CRLF Injection
First published: Wed Mar 13 2019(Updated: )
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command. Reference: <a href="https://bugs.python.org/issue36276">https://bugs.python.org/issue36276</a>
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python | <0:2.7.5-86.el7 | 0:2.7.5-86.el7 |
| redhat/python | <0:2.7.5-63.el7_4 | 0:2.7.5-63.el7_4 |
| redhat/python | <0:2.7.5-74.el7_5 | 0:2.7.5-74.el7_5 |
| redhat/python | <0:2.7.5-83.el7_6 | 0:2.7.5-83.el7_6 |
| redhat/python3 | <0:3.6.8-15.1.el8 | 0:3.6.8-15.1.el8 |
| redhat/python27-python | <0:2.7.16-4.el6 | 0:2.7.16-4.el6 |
| redhat/python27-python-jinja2 | <0:2.6-12.el6 | 0:2.6-12.el6 |
| redhat/rh-python36-python | <0:3.6.9-2.el6 | 0:3.6.9-2.el6 |
| redhat/python27-python | <0:2.7.16-4.el7 | 0:2.7.16-4.el7 |
| redhat/python27-python-jinja2 | <0:2.6-15.el7 | 0:2.6-15.el7 |
| redhat/rh-python36-python | <0:3.6.9-2.el7 | 0:3.6.9-2.el7 |
| Python Python | >=2.0<2.7.17 | |
| Python Python | >=3.5.0<3.5.8 | |
| Python Python | >=3.6.0<3.6.9 | |
| Python Python | >=3.7.0<3.7.4 | |
| debian/python2.7 | 2.7.18-8+deb11u1 | |
| >=2.0<2.7.17 | ||
| >=3.5.0<3.5.8 | ||
| >=3.6.0<3.6.9 | ||
| >=3.7.0<3.7.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-9740 https://nvd.nist.gov/vuln/detail/CVE-2019-9740
- https://bugzilla.redhat.com/show_bug.cgi?id=1688169
- https://access.redhat.com/errata/RHBA-2020:0547
- https://access.redhat.com/errata/RHSA-2019:2030
- https://access.redhat.com/errata/RHSA-2020:1346
- https://access.redhat.com/errata/RHSA-2020:1268
- https://access.redhat.com/errata/RHSA-2020:1462
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2019:3520
- https://access.redhat.com/errata/RHSA-2019:1260
- https://access.redhat.com/errata/RHSA-2019:3725
- https://access.redhat.com/security/cve/CVE-2019-9740
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://www.openwall.com/lists/oss-security/2021/02/04/2
- http://www.securityfocus.com/bid/107466
- https://bugs.python.org/issue36276
- https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://seclists.org/bugtraq/2019/Oct/29
- https://security.gentoo.org/glsa/202003-26
- https://security.netapp.com/advisory/ntap-20190619-0005/
- https://usn.ubuntu.com/4127-1/
- https://usn.ubuntu.com/4127-2/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://launchpad.net/bugs/cve/CVE-2019-9740
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1688170
- https://bugs.python.org/issue30458
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706851
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706855
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706852
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706853
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706854
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706850
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706849
- https://github.com/python/cpython/pull/12755
- https://python-security.readthedocs.io/vuln/http-header-injection2.html
- https://github.com/python/cpython/commit/c4e671eec20dfcb29b18596a89ef075f826c9f96
- https://github.com/python/cpython/commit/b7378d77289c911ca6a0c0afaf513879002df7d5
- https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://bugs.python.org/issue36274
- https://bugs.python.org/issue38216
- https://security-tracker.debian.org/tracker/CVE-2019-9740
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
- https://nvd.nist.gov/vuln/detail/CVE-2019-9740
- https://ubuntu.com/security/CVE-2019-9740
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-9740?
CVE-2019-9740 is a vulnerability discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3.
How severe is CVE-2019-9740?
CVE-2019-9740 has a severity level of 6.5 (medium).
How can an attacker exploit CVE-2019-9740?
An attacker can exploit CVE-2019-9740 by injecting CRLF sequences into a URL parameter that the attacker controls.
What is the affected software for CVE-2019-9740?
The affected software includes Python versions 2.x through 2.7.16 and Python 3.x through 3.7.3.
Are there any references for CVE-2019-9740?
Yes, you can find more information about CVE-2019-9740 in the following references: - [Bug Report on Python Bug Tracker](https://bugs.python.org/issue36276) - [Bug Report on Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1688170) - [Bug Report on Python Bug Tracker](https://bugs.python.org/issue30458)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-9740
- agent/weakness
- agent/severity
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/first-publish-date
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- collector/nvd-api
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- agent/trending
- package-manager/redhat
- vendor/python
- canonical/python python
- version/python python/2.0
- version/python python/3.5.0
- version/python python/3.6.0
- version/python python/3.7.0
- package-manager/debian