CVE-2020-26137

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-26137
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26137.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-26137
Aliases
Downstream
Related
Published
2020-09-30T18:15:26.773Z
Modified
2026-04-11T12:34:03.638714Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "22.2.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "8.8"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "16.04"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "18.04"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "20.04"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/urllib3/urllib3

Affected ranges

Type
GIT
Repo
https://github.com/urllib3/urllib3
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
21758b0694ea53b499e832a993e8d1ada01135b2
Fixed
1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
Database specific 
{
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.25.9"
        }
    ]
}

Affected versions

0.*
0.3
0.3.1
0.4
0.4.1
1.*
1.1
1.2
1.2.1
1.25
1.25.1
1.25.2
1.25.3
1.25.4
1.25.5
1.25.6
1.25.7
1.25.8
1.3
1.4
1.5
1.6
1.7
1.7.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26137.json"