SB2025092344 - Multiple vulnerabilities in F5 BIG-IP Python component 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025092344

SB2025092344 - Multiple vulnerabilities in F5 BIG-IP Python component

Published: September 23, 2025

Security Bulletin ID SB2025092344
Severity
Medium
Patch available
NO
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) CRLF injection (CVE-ID: CVE-2019-18348)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)


2) CRLF injection (CVE-ID: CVE-2019-9740)

The vulnerability allows a remote attacker to perform CRLF injection attacks.

The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL after the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.


3) CRLF injection (CVE-ID: CVE-2019-9947)

The vulnerability allows a remote attacker to perform CRLF injection attacks.

The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL that lacks the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.


4) Input validation error (CVE-ID: CVE-2016-10739)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the getaddrinfo() function accepts an IPv4 address followed by whitespace and arbitrary characters and treats his input as a correct IPv4 address. Software that accepts input from the getaddrinfo() function may incorrectly assume that the function return IPv4 address only. As a result, a remote attacker can inject arbitrary data into the IPv4 address and change application's behavior that relies on getaddrinfo() output (e.g., inject HTTP headers or other potentially dangerous strings).



Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References