CVE-2022-0391

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-0391
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-0391.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-0391
Aliases
Related
Published
2022-02-09T23:15:16Z
Modified
2024-10-12T08:46:47.119110Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

References

Affected packages

Debian:11 / pypy3

Package

Name
pypy3
Purl
pkg:deb/debian/pypy3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.3.5+dfsg-2
7.3.5+dfsg-2+deb11u1
7.3.5+dfsg-2+deb11u2
7.3.6~rc2+dfsg-1
7.3.6~rc2+dfsg-2
7.3.6+dfsg-1
7.3.7+dfsg-1
7.3.7+dfsg-2
7.3.7+dfsg-3
7.3.7+dfsg-4
7.3.7+dfsg-5
7.3.8~rc1+dfsg-1
7.3.8~rc1+dfsg-2
7.3.8+dfsg-1
7.3.8+dfsg-2
7.3.9+dfsg-1
7.3.9+dfsg-2
7.3.9+dfsg-3
7.3.9+dfsg-4
7.3.9+dfsg-5
7.3.10~rc3+dfsg-1
7.3.10~rc3+dfsg-2
7.3.10+dfsg-1
7.3.11+dfsg-1
7.3.11+dfsg-2
7.3.12~rc1+dfsg-1
7.3.12~rc2+dfsg-1
7.3.12+dfsg-1
7.3.13+dfsg-1
7.3.14+dfsg-1
7.3.15+dfsg-1
7.3.16+dfsg-1
7.3.16+dfsg-2
7.3.17+dfsg-1
7.3.17+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / pypy3

Package

Name
pypy3
Purl
pkg:deb/debian/pypy3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.3.6+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / pypy3

Package

Name
pypy3
Purl
pkg:deb/debian/pypy3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.3.6+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / python2.7

Package

Name
python2.7
Purl
pkg:deb/debian/python2.7?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.18-8+deb11u1

Affected versions

2.*

2.7.18-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / python3.9

Package

Name
python3.9
Purl
pkg:deb/debian/python3.9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.9.2-1
3.9.3-1
3.9.3-2
3.9.4-1
3.9.5-1
3.9.5-2
3.9.5-3
3.9.6-1
3.9.7-1
3.9.7-2
3.9.7-4
3.9.8-1
3.9.8-2
3.9.9-1
3.9.9-2
3.9.9-3
3.9.9-4
3.9.10-1
3.9.10-2
3.9.11-1
3.9.12-1
3.9.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/python/cpython

Affected ranges

Type
GIT
Repo
https://github.com/python/cpython
Events

Affected versions

v3.*

v3.9.0
v3.9.1
v3.9.1rc1
v3.9.2
v3.9.2rc1
v3.9.3
v3.9.4