#VU47403 CRLF injection in urllib3


Published: 2020-09-30 | Updated: 2022-07-20

Vulnerability identifier: #VU47403

Vulnerability risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26137

CWE-ID: CWE-93

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
urllib3
Other software / Other software solutions

Vendor: shazow (Andrey Petrov)

Description

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

urllib3: 1.17 - 1.25.8

External links
http://bugs.python.org/issue39603
http://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
http://github.com/urllib3/urllib3/pull/1800

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell Networking OS10
Multiple vulnerabilities in IBM Cloud Pak for Data System
CRLF injection in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Spectrum Symphony
Multiple vulnerabilities in IBM Cloud Pak for Data Scheduling
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
CRLF injection in IBM Robotic Process Automation for Cloud Pak
Multiple vulnerabilities in Dell XtremIO X2
Multiple vulnerabilities in IBM Security Guardium
Multiple vulnerabilities in Dell xDoctor4ECS