CVE-2020-26137

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26137

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26137.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-26137

Aliases

Downstream

ALPINE-CVE-2020-26137

DEBIAN-CVE-2020-26137

DLA-2686-1

DLA-3610-1

RHSA-2020:4299

RHSA-2021:0034

RHSA-2021:0079

RHSA-2021:1631

RHSA-2021:1761

RHSA-2022:5235

SUSE-FU-2022:0444-1

SUSE-FU-2022:0445-1

SUSE-SU-2020:3309-1

SUSE-SU-2020:3624-1

SUSE-SU-2020:3723-1

SUSE-SU-2020:3897-1

SUSE-SU-2021:2817-1

SUSE-SU-2021:3251-1

UBUNTU-CVE-2020-26137

USN-4570-1

openSUSE-SU-2020:2237-1

openSUSE-SU-2020:2282-1

openSUSE-SU-2021:1206-1

openSUSE-SU-2021:2817-1

openSUSE-SU-2024:13212-1

openSUSE-SU-2024:13213-1

Related

Published

2020-09-30T18:15:26.773Z

Modified

2025-11-14T10:59:06.669346Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References

Affected packages

Git / github.com/urllib3/urllib3

Affected ranges

Type: GIT
Repo: https://github.com/urllib3/urllib3
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

Affected versions

0.*

0.3

0.3.1

0.4

0.4.1

1.*

1.0

1.0.1

1.0.2

1.1

1.10

1.10.1

1.10.2

1.2

1.2.1

1.25

1.25.1

1.25.2

1.25.3

1.25.4

1.25.5

1.25.6

1.25.7

1.25.8

1.3

1.4

1.5

1.6

1.7

1.7.1

1.8

1.8.1

1.8.2

1.8.3

1.9

1.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26137.json"