What is CVE-2022-0391?

CVE-2022-0391 is a vulnerability in Python that allows characters like '\r' and '\n' in the URL path, resulting in weaker than expected security.

What is the severity of CVE-2022-0391?

CVE-2022-0391 has a severity score of 7.5 (High).

How does CVE-2022-0391 affect Python?

CVE-2022-0391 affects Python versions up to 3.10.0 and allows improper input validation in the urllib.parse module.

How can I fix CVE-2022-0391?

To fix CVE-2022-0391, upgrade to Python version 3.10.0 or apply the appropriate remedy provided by Red Hat.

Where can I find more information about CVE-2022-0391?

You can find more information about CVE-2022-0391 in the references provided: [link1], [link2].

Vulnerability/
CVE-2022-0391

high

7.5

CWE

20 74

18/4/2021

9/2/2022

2/8/2024

CVE-2022-0391: Input Validation

First published: Sun Apr 18 2021(Updated: )

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.

Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/python3	<0:3.6.8-47.el8_6	0:3.6.8-47.el8_6
redhat/rh-python38-babel	<0:2.7.0-12.el7	0:2.7.0-12.el7
redhat/rh-python38-python	<0:3.8.11-2.el7	0:3.8.11-2.el7
redhat/rh-python38-python-cryptography	<0:2.8-5.el7	0:2.8-5.el7
redhat/rh-python38-python-jinja2	<0:2.10.3-6.el7	0:2.10.3-6.el7
redhat/rh-python38-python-lxml	<0:4.4.1-7.el7	0:4.4.1-7.el7
redhat/rh-python38-python-pip	<0:19.3.1-2.el7	0:19.3.1-2.el7
redhat/rh-python38-python-urllib3	<0:1.25.7-7.el7	0:1.25.7-7.el7
redhat/python27-python	<0:2.7.18-4.el7	0:2.7.18-4.el7
Python Python	<3.6.14
Python Python	>=3.7.0<3.7.11
Python Python	>=3.8.0<3.8.11
Python Python	>=3.9.0<3.9.5
Python Python	=3.10.0-alpha1
Python Python	=3.10.0-alpha2
Python Python	=3.10.0-alpha3
Python Python	=3.10.0-alpha4
Python Python	=3.10.0-alpha5
Python Python	=3.10.0-alpha6
Netapp Active Iq Unified Manager Vsphere
Netapp Hci
Netapp Management Services For Element Software
NetApp ONTAP Select Deploy administration utility
Netapp Solidfire\, Enterprise Sds \& Hci Storage Node
Netapp Hci Compute Node
Fedoraproject Fedora	=34
Fedoraproject Fedora	=35
Oracle HTTP Server	=12.2.1.3.0
Oracle HTTP Server	=12.2.1.4.0
Oracle ZFS Storage Appliance Kit	=8.8
redhat/python	<3.10.0	3.10.0
redhat/python	<3.9.5	3.9.5
redhat/python	<3.8.11	3.8.11
redhat/python	<3.7.11	3.7.11
redhat/python	<3.6.14	3.6.14
IBM Cognos Analytics 11.2.x	<=IBM Cognos Analytics 11.2.x
IBM Cognos Analytics 11.1.x	<=IBM Cognos Analytics 11.1.x
debian/pypy3	<=7.3.5+dfsg-2+deb11u2<=7.3.5+dfsg-2+deb11u3	7.3.11+dfsg-2+deb12u2 7.3.17+dfsg-2
debian/python2.7		2.7.18-8+deb11u1
debian/python3.9	<=3.9.2-1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-0391?
CVE-2022-0391 is a vulnerability in Python that allows characters like '\r' and '\n' in the URL path, resulting in weaker than expected security.
What is the severity of CVE-2022-0391?
CVE-2022-0391 has a severity score of 7.5 (High).
How does CVE-2022-0391 affect Python?
CVE-2022-0391 affects Python versions up to 3.10.0 and allows improper input validation in the urllib.parse module.
How can I fix CVE-2022-0391?
To fix CVE-2022-0391, upgrade to Python version 3.10.0 or apply the appropriate remedy provided by Red Hat.
Where can I find more information about CVE-2022-0391?
You can find more information about CVE-2022-0391 in the references provided: [link1], [link2].

collector/redhat-cve
agent/type
agent/first-publish-date
agent/severity
agent/weakness
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-api
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-0391
agent/software-canonical-lookup
agent/remedy
agent/description
collector/nvd-cve
source/NVD
agent/author
collector/launchpad-cve
source/Launchpad
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
collector/ibm-support
source/IBM
agent/references
agent/tags
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
package-manager/redhat
vendor/python
canonical/python python
version/python python/3.7.0
version/python python/3.8.0
version/python python/3.9.0
version/python python/3.10.0-alpha1
version/python python/3.10.0-alpha2
version/python python/3.10.0-alpha3
version/python python/3.10.0-alpha4
version/python python/3.10.0-alpha5
version/python python/3.10.0-alpha6
vendor/netapp
canonical/netapp active iq unified manager vsphere
canonical/netapp hci
canonical/netapp management services for element software
canonical/netapp ontap select deploy administration utility
canonical/netapp solidfire\, enterprise sds \& hci storage node
canonical/netapp hci compute node
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/34
version/fedoraproject fedora/35
vendor/oracle
canonical/oracle http server
version/oracle http server/12.2.1.3.0
version/oracle http server/12.2.1.4.0
canonical/oracle zfs storage appliance kit
version/oracle zfs storage appliance kit/8.8
vendor/ibm
canonical/ibm cognos analytics 11.2.x
version/ibm cognos analytics 11.2.x/ibm cognos analytics 11.2.x
canonical/ibm cognos analytics 11.1.x
version/ibm cognos analytics 11.1.x/ibm cognos analytics 11.1.x
package-manager/debian

CVE-2022-0391: Input Validation

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Frequently Asked Questions

What is CVE-2022-0391?

What is the severity of CVE-2022-0391?

How does CVE-2022-0391 affect Python?

How can I fix CVE-2022-0391?

Where can I find more information about CVE-2022-0391?

Company

Resources

Contact