Main Vulnerability Database Vulnerabilities #VU31958

#VU31958 CRLF injection in Python - CVE-2019-18348

Published: October 23, 2019 / Updated: July 28, 2020

Vulnerability identifier: #VU31958

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-18348

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Python

Software vendor:
Python.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

Remediation

Install update from vendor's website.

#VU31958 CRLF injection in Python - CVE-2019-18348

Description

Remediation

External links

Please verify you're human