Main Vulnerability Database Vulnerabilities #VU31958

CRLF injection in Python - CVE-2019-18348

Published: October 23, 2019 / Updated: July 28, 2020

Vulnerability identifier: #VU31958

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-18348

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Python.org

Affected software:
Python

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

How to mitigate CVE-2019-18348

Install update from vendor's website.

CRLF injection in Python - CVE-2019-18348

Detailed vulnerability description

How to mitigate CVE-2019-18348

Sources

Please verify you're human