CVE-2019-18348

Current Description

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

Basic Data

PublishedOctober 23, 2019
Last ModifiedJuly 15, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-74
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationPythonPython********2.02.7.17
    2.3ApplicationPythonPython********3.03.8.0

Vulnerable Software List

VendorProductVersions
Python Python *

References

NameSourceURLTags
openSUSE-SU-2020:0696http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.htmlSUSE
https://bugs.python.org/issue30458#msg347282https://bugs.python.org/issue30458#msg347282MISCIssue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1727276https://bugzilla.redhat.com/show_bug.cgi?id=1727276MISCIssue Tracking Third Party Advisory
[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security updatehttps://lists.debian.org/debian-lts-announce/2020/07/msg00011.htmlMLIST
FEDORA-2019-57462fa10dhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HWFEDORA
FEDORA-2020-ea5bdbcc90https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5NSAFEDORA
FEDORA-2019-d202cda4f8https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLFEDORA
FEDORA-2019-b06ec6159bhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOFEDORA
FEDORA-2020-8bdd3fd7a4https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UESGYFEDORA
https://security.netapp.com/advisory/ntap-20191107-0004/https://security.netapp.com/advisory/ntap-20191107-0004/CONFIRM
USN-4333-1https://usn.ubuntu.com/4333-1/UBUNTU
USN-4333-2https://usn.ubuntu.com/4333-2/UBUNTU