CVE-2020-26116: CRLF Injection
First published: Mon Feb 10 2020(Updated: )
Python is vulnerable to CRLF injection, caused by improper validation of user-supplied input in http.client. By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python | <0:2.7.5-92.el7_9 | 0:2.7.5-92.el7_9 |
| redhat/python3 | <0:3.6.8-37.el8 | 0:3.6.8-37.el8 |
| redhat/python3 | <0:3.6.8-24.el8_2 | 0:3.6.8-24.el8_2 |
| redhat/rh-python36-python | <0:3.6.12-1.el6 | 0:3.6.12-1.el6 |
| redhat/rh-python36-python-pip | <0:9.0.1-5.el6 | 0:9.0.1-5.el6 |
| redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el6 | 0:15.1.0-3.el6 |
| redhat/python27-python | <0:2.7.18-2.el7 | 0:2.7.18-2.el7 |
| redhat/python27-python-pip | <0:8.1.2-6.el7 | 0:8.1.2-6.el7 |
| redhat/python27-python-virtualenv | <0:13.1.0-4.el7 | 0:13.1.0-4.el7 |
| redhat/rh-python36-python | <0:3.6.12-1.el7 | 0:3.6.12-1.el7 |
| redhat/rh-python36-python-pip | <0:9.0.1-5.el7 | 0:9.0.1-5.el7 |
| redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el7 | 0:15.1.0-3.el7 |
| redhat/rh-python38-python | <0:3.8.6-1.el7 | 0:3.8.6-1.el7 |
| redhat/rh-python38-python-psutil | <0:5.6.4-5.el7 | 0:5.6.4-5.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-6.el7 | 0:1.25.7-6.el7 |
| Python Python | >=3.0.0<3.5.10 | |
| Python Python | >=3.6.0<3.6.12 | |
| Python Python | >=3.7.0<3.7.9 | |
| Python Python | >=3.8.0<3.8.5 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Netapp Solidfire | ||
| Netapp Hci Compute Node | ||
| Netapp Hci Storage Node | ||
| Debian Debian Linux | =9.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| openSUSE Leap | =15.1 | |
| ubuntu/python3.9 | <3.9.0~ | 3.9.0~ |
| ubuntu/python3.4 | <3.4.3-1ubuntu1~14.04.7+ | 3.4.3-1ubuntu1~14.04.7+ |
| ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.12 | 3.5.2-2ubuntu0~16.04.12 |
| ubuntu/python3.6 | <3.6.9-1~18.04ubuntu1.3 | 3.6.9-1~18.04ubuntu1.3 |
| redhat/python | <3.8.5 | 3.8.5 |
| redhat/python | <3.7.9 | 3.7.9 |
| redhat/python | <3.6.12 | 3.6.12 |
| redhat/python | <3.5.10 | 3.5.10 |
| debian/python2.7 | <=2.7.16-2+deb10u1<=2.7.18-8+deb11u1 | 2.7.16-2+deb10u4 |
| debian/python3.7 | 3.7.3-2+deb10u3 3.7.3-2+deb10u7 | |
| debian/python3.9 | 3.9.2-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-26116 https://nvd.nist.gov/vuln/detail/CVE-2020-26116 https://python-security.readthedocs.io/vuln/http-header-injection-method.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1883014
- https://access.redhat.com/errata/RHSA-2022:5235
- https://access.redhat.com/errata/RHSA-2021:1633
- https://access.redhat.com/errata/RHSA-2021:1761
- https://access.redhat.com/errata/RHSA-2021:1879
- https://access.redhat.com/errata/RHSA-2021:3366
- https://access.redhat.com/errata/RHSA-2020:4285
- https://access.redhat.com/errata/RHSA-2020:4273
- https://access.redhat.com/errata/RHSA-2020:4299
- https://access.redhat.com/security/cve/cve-2020-26116
- https://exchange.xforce.ibmcloud.com/vulnerabilities/189404
- https://www.ibm.com/support/pages/node/6491661 (Advisory)
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
- https://bugs.python.org/issue39603
- https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
- https://python-security.readthedocs.io/vuln/http-header-injection-method.html
- https://security.gentoo.org/glsa/202101-18
- https://security.netapp.com/advisory/ntap-20201023-0001/
- https://usn.ubuntu.com/4581-1/
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://launchpad.net/bugs/cve/CVE-2020-26116
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
- https://github.com/python/cpython/pull/18485
- https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e
- https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf
- https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a
- https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae
- https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883247
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883243
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883244
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883246
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883245
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1875728
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1875735
- https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71
- https://security-tracker.debian.org/tracker/CVE-2020-26116
- https://ubuntu.com/security/notices/USN-4581-1
- https://ubuntu.com/security/notices/USN-4754-3
- https://www.cve.org/CVERecord?id=CVE-2020-26116
- https://nvd.nist.gov/vuln/detail/CVE-2020-26116
- https://ubuntu.com/security/CVE-2020-26116
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-26116?
CVE-2020-26116 is a vulnerability in Python that allows for CRLF injection through improper validation of user-supplied input in http.client.
How does CVE-2020-26116 affect Python?
CVE-2020-26116 affects Python versions 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5.
How does CVE-2020-26116 work?
By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit CVE-2020-26116 to conduct various attacks against the vulnerable Python application.
What is the severity of CVE-2020-26116?
CVE-2020-26116 has a severity rating of 7.2 (high).
How can I mitigate CVE-2020-26116?
To mitigate CVE-2020-26116, it is recommended to upgrade to Python versions 3.5.10, 3.6.12, 3.7.9, or 3.8.5, depending on your current Python version.
- collector/redhat-cve
- collector/ibm-support
- collector/nvd-index
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-26116
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/python
- canonical/python python
- version/python python/3.0.0
- version/python python/3.6.0
- version/python python/3.7.0
- version/python python/3.8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- vendor/netapp
- canonical/netapp solidfire
- canonical/netapp hci compute node
- canonical/netapp hci storage node
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/oracle
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- package-manager/debian
- package-manager/ubuntu