#VU18828 CRLF injection in Python
Vulnerability identifier: #VU18828
Vulnerability risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-93
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Python
Universal components / Libraries /
Scripting languages
Vendor: Python.org
Description
The vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL that lacks the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Python: 2.7.0 - 2.7.2150, 3.7 - 3.7.3, 3.6 - 3.6.8, 3.5 - 3.5.7, 3.4 - 3.4.10, 3.3 - 3.3.7, 3.1.0 - 3.1.2150, 3.0.0 - 3.0.1, 3.8, 3.2.0 - 3.2.2150
External links
http://access.redhat.com/errata/RHSA-2019:1260
http://bugs.python.org/issue35906
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
http://security.netapp.com/advisory/ntap-20190404-0004/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
