CVE-2019-9740: CRLF Injection
First published: Tue Mar 12 2019(Updated: )
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python | <0:2.7.5-86.el7 | 0:2.7.5-86.el7 |
| redhat/python | <0:2.7.5-63.el7_4 | 0:2.7.5-63.el7_4 |
| redhat/python | <0:2.7.5-74.el7_5 | 0:2.7.5-74.el7_5 |
| redhat/python | <0:2.7.5-83.el7_6 | 0:2.7.5-83.el7_6 |
| redhat/python3 | <0:3.6.8-15.1.el8 | 0:3.6.8-15.1.el8 |
| redhat/python27-python | <0:2.7.16-4.el6 | 0:2.7.16-4.el6 |
| redhat/python27-python-jinja2 | <0:2.6-12.el6 | 0:2.6-12.el6 |
| redhat/rh-python36-python | <0:3.6.9-2.el6 | 0:3.6.9-2.el6 |
| redhat/python27-python | <0:2.7.16-4.el7 | 0:2.7.16-4.el7 |
| redhat/python27-python-jinja2 | <0:2.6-15.el7 | 0:2.6-15.el7 |
| redhat/rh-python36-python | <0:3.6.9-2.el7 | 0:3.6.9-2.el7 |
| Python Python | >=2.0<2.7.17 | |
| Python Python | >=3.5.0<3.5.8 | |
| Python Python | >=3.6.0<3.6.9 | |
| Python Python | >=3.7.0<3.7.4 | |
| ubuntu/python3.4 | <3.4.3-1ubuntu1~14.04.7+ | 3.4.3-1ubuntu1~14.04.7+ |
| ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.8 | 3.5.2-2ubuntu0~16.04.8 |
| ubuntu/python2.7 | <2.7.15-4ubuntu4~18.04.1 | 2.7.15-4ubuntu4~18.04.1 |
| ubuntu/python2.7 | <2.7.16-2ubuntu0.1 | 2.7.16-2ubuntu0.1 |
| ubuntu/python2.7 | <2.7.6-8ubuntu0.6+ | 2.7.6-8ubuntu0.6+ |
| ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.8 | 2.7.12-1ubuntu0~16.04.8 |
| ubuntu/python3.6 | <3.6.8-1~18.04.2 | 3.6.8-1~18.04.2 |
| ubuntu/python3.7 | <3.7.3-2ubuntu0.1 | 3.7.3-2ubuntu0.1 |
| debian/python2.7 | 2.7.16-2+deb10u1 2.7.16-2+deb10u4 2.7.18-8+deb11u1 | |
| debian/python3.7 | 3.7.3-2+deb10u3 3.7.3-2+deb10u7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-9740 https://nvd.nist.gov/vuln/detail/CVE-2019-9740
- https://bugzilla.redhat.com/show_bug.cgi?id=1688169
- https://access.redhat.com/errata/RHBA-2020:0547
- https://access.redhat.com/errata/RHSA-2019:2030
- https://access.redhat.com/errata/RHSA-2020:1346
- https://access.redhat.com/errata/RHSA-2020:1268
- https://access.redhat.com/errata/RHSA-2020:1462
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2019:3520
- https://access.redhat.com/errata/RHSA-2019:1260
- https://access.redhat.com/errata/RHSA-2019:3725
- https://access.redhat.com/security/cve/CVE-2019-9740
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://www.openwall.com/lists/oss-security/2021/02/04/2
- http://www.securityfocus.com/bid/107466
- https://bugs.python.org/issue36276
- https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://seclists.org/bugtraq/2019/Oct/29
- https://security.gentoo.org/glsa/202003-26
- https://security.netapp.com/advisory/ntap-20190619-0005/
- https://usn.ubuntu.com/4127-1/
- https://usn.ubuntu.com/4127-2/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://launchpad.net/bugs/cve/CVE-2019-9740
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1688170
- https://bugs.python.org/issue30458
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706851
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706855
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706852
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706853
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706854
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706850
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1706849
- https://github.com/python/cpython/pull/12755
- https://python-security.readthedocs.io/vuln/http-header-injection2.html
- https://github.com/python/cpython/commit/c4e671eec20dfcb29b18596a89ef075f826c9f96
- https://github.com/python/cpython/commit/b7378d77289c911ca6a0c0afaf513879002df7d5
- https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://bugs.python.org/issue36274
- https://bugs.python.org/issue38216
- https://security-tracker.debian.org/tracker/CVE-2019-9740
- https://ubuntu.com/security/notices/USN-4127-1
- https://ubuntu.com/security/notices/USN-4127-2
- https://www.cve.org/CVERecord?id=CVE-2019-9740
- https://nvd.nist.gov/vuln/detail/CVE-2019-9740
- https://github.com/python/cpython/commit/afe3a4975cf93c97e5d6eb8800e48f368011d37a
- https://github.com/python/cpython/commit/c50d437e942d4c4c45c8cd76329b05340c02eb31
- https://github.com/python/cpython/commit/7e200e0763f5b71c199aaf98bd5588f291585619
- https://ubuntu.com/security/CVE-2019-9740
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-9740?
CVE-2019-9740 is a vulnerability discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3.
How severe is CVE-2019-9740?
CVE-2019-9740 has a severity level of 6.5 (medium).
How can an attacker exploit CVE-2019-9740?
An attacker can exploit CVE-2019-9740 by injecting CRLF sequences into a URL parameter that the attacker controls.
What is the affected software for CVE-2019-9740?
The affected software includes Python versions 2.x through 2.7.16 and Python 3.x through 3.7.3.
Are there any references for CVE-2019-9740?
Yes, you can find more information about CVE-2019-9740 in the following references: - [Bug Report on Python Bug Tracker](https://bugs.python.org/issue36276) - [Bug Report on Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1688170) - [Bug Report on Python Bug Tracker](https://bugs.python.org/issue30458)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-9740
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/python
- canonical/python python
- version/python python/2.0
- version/python python/3.5.0
- version/python python/3.6.0
- version/python python/3.7.0
- package-manager/debian
- package-manager/ubuntu