CRLF injection in Python - CVE-2019-9947
Published: June 19, 2019 / Updated: July 20, 2020
Vulnerability identifier: #VU18828
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2019-9947
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Python.org
Affected software:
Python
Python
Detailed vulnerability description
The vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL that lacks the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
How to mitigate CVE-2019-9947
Install update from vendor's website.
Sources
- https://access.redhat.com/errata/RHSA-2019:1260
- https://bugs.python.org/issue35906
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
- https://security.netapp.com/advisory/ntap-20190404-0004/