#VU18828 CRLF injection in Python


| Updated: 2020-07-20

Vulnerability identifier: #VU18828

Vulnerability risk: Medium

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-9947

CWE-ID: CWE-93

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to perform CRLF injection attacks.

The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL that lacks the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Python: 2.7.0 - 2.7.2150, 3.0.0 - 3.0.1, 3.1.0 - 3.1.2150, 3.2.0 - 3.2.2150, 3.3 - 3.3.7, 3.4 - 3.4.10, 3.5 - 3.5.7, 3.6 - 3.6.8, 3.7 - 3.7.3, 3.8


External links
http://access.redhat.com/errata/RHSA-2019:1260
http://bugs.python.org/issue35906
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
http://security.netapp.com/advisory/ntap-20190404-0004/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability