First published: Sun Apr 18 2021(Updated: )
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python3 | <0:3.6.8-47.el8_6 | 0:3.6.8-47.el8_6 |
redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
redhat/python27-python | <0:2.7.18-4.el7 | 0:2.7.18-4.el7 |
Python Python | <3.6.14 | |
Python Python | >=3.7.0<3.7.11 | |
Python Python | >=3.8.0<3.8.11 | |
Python Python | >=3.9.0<3.9.5 | |
Python Python | =3.10.0-alpha1 | |
Python Python | =3.10.0-alpha2 | |
Python Python | =3.10.0-alpha3 | |
Python Python | =3.10.0-alpha4 | |
Python Python | =3.10.0-alpha5 | |
Python Python | =3.10.0-alpha6 | |
Netapp Active Iq Unified Manager Vsphere | ||
Netapp Hci | ||
Netapp Management Services For Element Software | ||
NetApp ONTAP Select Deploy administration utility | ||
Netapp Solidfire\, Enterprise Sds \& Hci Storage Node | ||
Netapp Hci Compute Node | ||
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Oracle HTTP Server | =12.2.1.3.0 | |
Oracle HTTP Server | =12.2.1.4.0 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
redhat/python | <3.10.0 | 3.10.0 |
redhat/python | <3.9.5 | 3.9.5 |
redhat/python | <3.8.11 | 3.8.11 |
redhat/python | <3.7.11 | 3.7.11 |
redhat/python | <3.6.14 | 3.6.14 |
IBM Cognos Analytics 11.2.x | <=IBM Cognos Analytics 11.2.x | |
IBM Cognos Analytics 11.1.x | <=IBM Cognos Analytics 11.1.x | |
debian/pypy3 | <=7.3.5+dfsg-2+deb11u2 | 7.3.5+dfsg-2+deb11u4 7.3.11+dfsg-2+deb12u2 7.3.17+dfsg-3 |
debian/python2.7 | 2.7.18-8+deb11u1 | |
debian/python3.9 | <=3.9.2-1<=3.9.2-1+deb11u2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-0391 is a vulnerability in Python that allows characters like '\r' and '\n' in the URL path, resulting in weaker than expected security.
CVE-2022-0391 has a severity score of 7.5 (High).
CVE-2022-0391 affects Python versions up to 3.10.0 and allows improper input validation in the urllib.parse module.
To fix CVE-2022-0391, upgrade to Python version 3.10.0 or apply the appropriate remedy provided by Red Hat.
You can find more information about CVE-2022-0391 in the references provided: [link1], [link2].