CVE-2020-26116: CRLF Injection
First published: Mon Feb 10 2020(Updated: )
A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python | <0:2.7.5-92.el7_9 | 0:2.7.5-92.el7_9 |
| redhat/python3 | <0:3.6.8-37.el8 | 0:3.6.8-37.el8 |
| redhat/python3 | <0:3.6.8-24.el8_2 | 0:3.6.8-24.el8_2 |
| redhat/rh-python36-python | <0:3.6.12-1.el6 | 0:3.6.12-1.el6 |
| redhat/rh-python36-python-pip | <0:9.0.1-5.el6 | 0:9.0.1-5.el6 |
| redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el6 | 0:15.1.0-3.el6 |
| redhat/python27-python | <0:2.7.18-2.el7 | 0:2.7.18-2.el7 |
| redhat/python27-python-pip | <0:8.1.2-6.el7 | 0:8.1.2-6.el7 |
| redhat/python27-python-virtualenv | <0:13.1.0-4.el7 | 0:13.1.0-4.el7 |
| redhat/rh-python36-python | <0:3.6.12-1.el7 | 0:3.6.12-1.el7 |
| redhat/rh-python36-python-pip | <0:9.0.1-5.el7 | 0:9.0.1-5.el7 |
| redhat/rh-python36-python-virtualenv | <0:15.1.0-3.el7 | 0:15.1.0-3.el7 |
| redhat/rh-python38-python | <0:3.8.6-1.el7 | 0:3.8.6-1.el7 |
| redhat/rh-python38-python-psutil | <0:5.6.4-5.el7 | 0:5.6.4-5.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-6.el7 | 0:1.25.7-6.el7 |
| Python Python | >=3.0.0<3.5.10 | |
| Python Python | >=3.6.0<3.6.12 | |
| Python Python | >=3.7.0<3.7.9 | |
| Python Python | >=3.8.0<3.8.5 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Netapp Solidfire | ||
| Netapp Hci Compute Node | ||
| Netapp Hci Storage Node | ||
| Debian Debian Linux | =9.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| openSUSE Leap | =15.1 | |
| redhat/python | <3.8.5 | 3.8.5 |
| redhat/python | <3.7.9 | 3.7.9 |
| redhat/python | <3.6.12 | 3.6.12 |
| redhat/python | <3.5.10 | 3.5.10 |
| debian/pypy3 | 7.3.5+dfsg-2+deb11u2 7.3.5+dfsg-2+deb11u4 7.3.11+dfsg-2+deb12u2 7.3.17+dfsg-3 | |
| debian/python2.7 | <=2.7.18-8+deb11u1 | |
| debian/python3.9 | 3.9.2-1 3.9.2-1+deb11u2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-26116 https://nvd.nist.gov/vuln/detail/CVE-2020-26116 https://python-security.readthedocs.io/vuln/http-header-injection-method.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1883014
- https://access.redhat.com/errata/RHSA-2022:5235
- https://access.redhat.com/errata/RHSA-2021:1633
- https://access.redhat.com/errata/RHSA-2021:1761
- https://access.redhat.com/errata/RHSA-2021:1879
- https://access.redhat.com/errata/RHSA-2021:3366
- https://access.redhat.com/errata/RHSA-2020:4285
- https://access.redhat.com/errata/RHSA-2020:4273
- https://access.redhat.com/errata/RHSA-2020:4299
- https://access.redhat.com/security/cve/cve-2020-26116
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
- https://bugs.python.org/issue39603
- https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
- https://python-security.readthedocs.io/vuln/http-header-injection-method.html
- https://security.gentoo.org/glsa/202101-18
- https://security.netapp.com/advisory/ntap-20201023-0001/
- https://usn.ubuntu.com/4581-1/
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://launchpad.net/bugs/cve/CVE-2020-26116
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
- https://github.com/python/cpython/pull/18485
- https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e
- https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf
- https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a
- https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae
- https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883247
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883243
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883244
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883246
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883245
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1875728
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1875735
- https://exchange.xforce.ibmcloud.com/vulnerabilities/189404
- https://www.ibm.com/support/pages/node/6491661 (Advisory)
- https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71
- https://security-tracker.debian.org/tracker/CVE-2020-26116
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
- https://nvd.nist.gov/vuln/detail/CVE-2020-26116
- https://ubuntu.com/security/CVE-2020-26116
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-26116?
CVE-2020-26116 is a vulnerability in Python that allows for CRLF injection through improper validation of user-supplied input in http.client.
How does CVE-2020-26116 affect Python?
CVE-2020-26116 affects Python versions 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5.
How does CVE-2020-26116 work?
By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit CVE-2020-26116 to conduct various attacks against the vulnerable Python application.
What is the severity of CVE-2020-26116?
CVE-2020-26116 has a severity rating of 7.2 (high).
How can I mitigate CVE-2020-26116?
To mitigate CVE-2020-26116, it is recommended to upgrade to Python versions 3.5.10, 3.6.12, 3.7.9, or 3.8.5, depending on your current Python version.
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-26116
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- agent/trending
- package-manager/redhat
- vendor/python
- canonical/python python
- version/python python/3.0.0
- version/python python/3.6.0
- version/python python/3.7.0
- version/python python/3.8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- vendor/netapp
- canonical/netapp solidfire
- canonical/netapp hci compute node
- canonical/netapp hci storage node
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/oracle
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- package-manager/debian