Vulnerability Details : CVE-2020-26116
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
Products affected by CVE-2020-26116
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2020-26116
Top countries where our scanners detected CVE-2020-26116
Top open port discovered on systems with this issue
80
IPs affected by CVE-2020-26116 316,605
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-26116!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-26116
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26116
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
3.9
|
2.7
|
NIST |
CWE ids for CVE-2020-26116
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-26116
-
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
[security-announce] openSUSE-SU-2020:1859-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
[SECURITY] Fedora 31 Update: python2-2.7.18-6.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://python-security.readthedocs.io/vuln/http-header-injection-method.html
http.client: HTTP Header Injection in the HTTP method — Python Security 0.0 documentationPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
[SECURITY] [DLA 3432-1] python2.7 security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
[SECURITY] Fedora 32 Update: mingw-python3-3.8.3-7.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20201023-0001/
CVE-2020-26116 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
[SECURITY] Fedora 33 Update: python2.7-2.7.18-6.fc33 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://usn.ubuntu.com/4581-1/
USN-4581-1: Python vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
https://bugs.python.org/issue39603
Issue 39603: [security] http.client: HTTP Header Injection in the HTTP method - Python trackerExploit;Issue Tracking;Patch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
[SECURITY] Fedora 32 Update: python27-2.7.18-6.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202101-18
Python: Multiple vulnerabilities (GLSA 202101-18) — Gentoo securityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
[SECURITY] Fedora 32 Update: python34-3.4.10-11.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
[SECURITY] [DLA 2456-1] python3.5 security updateMailing List;Third Party Advisory
Jump to