Vulnerability Details : CVE-2020-26137
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Products affected by CVE-2020-26137
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 22.2.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26137
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26137
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST |
CWE ids for CVE-2020-26137
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-26137
-
https://github.com/urllib3/urllib3/pull/1800
Raise ValueError if method contains control characters by sethmlarson · Pull Request #1800 · urllib3/urllib3 · GitHubPatch;Third Party Advisory
-
https://usn.ubuntu.com/4570-1/
USN-4570-1: urllib3 vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
[SECURITY] [DLA 2686-1] python-urllib3 security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
[SECURITY] [DLA 3610-1] python-urllib3 security update
-
https://bugs.python.org/issue39603
Issue 39603: [security] http.client: HTTP Header Injection in the HTTP method - Python trackerIssue Tracking;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
Raise ValueError if method contains control characters (#1800) · urllib3/urllib3@1dd69c5 · GitHubPatch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to