FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- CRLF injection via the host part of the url passed to urlopen()

Affected packages
python27 < 2.7.18
python38 < 3.8.3
python37 <= 3.7.7
python36 < 3.6.10
python35 <= 3.5.9_4

Details

VuXML ID ca595a25-91d8-11ea-b470-080027846a02
Discovery 2019-10-24
Entry 2020-05-09
Modified 2020-06-13

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.

[source]

References

CVE Name CVE-2019-18348
URL https://bugs.python.org/issue38576
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.