CRLF injection in httplib2 library for Python
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-11078 |
| CWE-ID | CWE-93 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
httplib2 Other software / Other software solutions |
| Vendor | httplib2 |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) CRLF injection
EUVDB-ID: #VU28245
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2020-11078
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker controlling unescaped part of uri for "httplib2.Http.request()" can change request headers and body, send additional hidden requests to same server.
MitigationInstall updates from vendor's website.
Vulnerable software versionshttplib2: 0.9 - 0.17.4
Fixed software versionsCPE2.3 External links
http://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e
http://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
http://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
