Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU47403
Risk: Medium
CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-26137
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
MitigationUpdate the affected package aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Public Cloud: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Python2: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise Server for SAP: 15-SP1
SUSE Linux Enterprise High Performance Computing: 15-SP1-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE MicroOS: 5.0
SUSE Linux Enterprise Module for Packagehub Subpackages: 15-SP2 - 15-SP3
SUSE Linux Enterprise Server: 15-SP1-BCL - 15-SP1-LTSS
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
python3-cryptography-debuginfo: before 2.8-10.1
python3-cffi-debuginfo: before 1.13.2-3.2.5
python2-botocore: before 1.20.9-33.1
python2-boto3: before 1.17.9-19.1
python3-trustme: before 0.6.0-3.3.1
python3-service_identity: before 18.1.0-3.3.1
aws-cli: before 1.19.9-26.1
python2-pyOpenSSL: before 17.5.0-8.3.1
python2-cryptography-debuginfo: before 2.8-10.1
python2-cryptography: before 2.8-10.1
python2-cffi-debuginfo: before 1.13.2-3.2.5
python2-cffi: before 1.13.2-3.2.5
python-cryptography-debugsource: before 2.8-10.1
python-cryptography-debuginfo: before 2.8-10.1
python-cffi-debugsource: before 1.13.2-3.2.5
python-cffi-debuginfo: before 1.13.2-3.2.5
python3-botocore: before 1.20.9-33.1
python3-boto3: before 1.17.9-19.1
python2-urllib3: before 1.25.10-9.14.1
python2-pycparser: before 2.17-3.2.1
python2-pyasn1: before 0.4.2-3.2.1
python2-asn1crypto: before 0.24.0-3.2.1
python3-urllib3: before 1.25.10-9.14.1
python3-pycparser: before 2.17-3.2.1
python3-pyasn1: before 0.4.2-3.2.1
python3-pyOpenSSL: before 17.5.0-8.3.1
python3-asn1crypto: before 0.24.0-3.2.1
python3-cryptography: before 2.8-10.1
python3-cffi: before 1.13.2-3.2.5
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20212817-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.