CRLF injection in Python

#VU48592 CRLF injection in Python

Published: 2020-09-27 | Updated: 2022-07-20

Vulnerability identifier: #VU48592

Vulnerability risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26116

CWE-ID: CWE-93

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data in "http.client". A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: 3.5.0 - 3.5.9, 3.6.0 - 3.6.11, 3.7.0 - 3.7.8, 3.8.0 - 3.8.4 rc1, 3.0 - 3.0.1, 3.1 - 3.1.2150, 3.2 - 3.2.2150, 3.3 - 3.3.7, 3.4 - 3.4.10

External links
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
http://bugs.python.org/issue39603
http://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
http://python-security.readthedocs.io/vuln/http-header-injection-method.html
http://security.netapp.com/advisory/ntap-20201023-0001/
http://usn.ubuntu.com/4581-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell XtremIO X2

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

ClevOS update for IBM Cloud Object Storage Systems

Multiple vulnerabilities in OpenShift Container Platform 3.11

Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.3

Multiple vulnerabilities in IBM Cloud Pak for Security

CentOS 7 update for python

Multiple vulnerabilities in Oracle Linux

Red Hat Enterprise Linux for Scientific Computing 7 update for python