First published: Mon Feb 10 2020(Updated: )
A flaw was found in python-urllib3. The HTTPConnection.request() does not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation of the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python | <0:2.7.5-92.el7_9 | 0:2.7.5-92.el7_9 |
redhat/python-urllib3 | <0:1.24.2-5.el8 | 0:1.24.2-5.el8 |
redhat/python-urllib3 | <0:1.26.2-1.el7 | 0:1.26.2-1.el7 |
redhat/rh-python38-python | <0:3.8.6-1.el7 | 0:3.8.6-1.el7 |
redhat/rh-python38-python-psutil | <0:5.6.4-5.el7 | 0:5.6.4-5.el7 |
redhat/rh-python38-python-urllib3 | <0:1.25.7-6.el7 | 0:1.25.7-6.el7 |
Python urllib3 | <1.25.9 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =20.04 | |
Debian Debian Linux | =9.0 | |
Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =22.2.0 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
redhat/urllib3 | <1.25.9 | 1.25.9 |
IBM Concert Software | <=1.0.0 - 1.0.1 | |
pip/urllib3 | <1.25.9 | 1.25.9 |
debian/python-urllib3 | 1.26.5-1~exp1 1.26.12-1 2.2.3-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-26137 is a vulnerability in urllib3 library that allows CRLF injection if the attacker controls the HTTP request method.
The severity of CVE-2020-26137 is high, with a CVSS score of 7.4.
CVE-2020-26137 can potentially impact confidentiality and integrity of the affected system.
Versions up to and excluding urllib3 1.25.9 are affected by CVE-2020-26137.
The remedy for CVE-2020-26137 is to update urllib3 to version 1.25.9 or later.