GHSA-wqvq-5m8c-6g24

Suggest an improvement
Source
https://github.com/advisories/GHSA-wqvq-5m8c-6g24
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-wqvq-5m8c-6g24/GHSA-wqvq-5m8c-6g24.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-wqvq-5m8c-6g24
Aliases
Published
2021-06-18T18:46:43Z
Modified
2024-11-18T23:15:01.720801Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
CRLF injection in urllib3
Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Database specific
{
    "nvd_published_at": "2020-09-30T18:15:00Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-17T22:13:47Z"
}
References

Affected packages

PyPI / urllib3

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.25.9

Affected versions

0.*

0.2
0.3
0.3.1
0.4.0
0.4.1

1.*

1.0
1.0.1
1.0.2
1.1
1.2
1.2.1
1.2.2
1.3
1.4
1.5
1.6
1.7
1.7.1
1.8
1.8.2
1.8.3
1.9
1.9.1
1.10
1.10.1
1.10.2
1.10.3
1.10.4
1.11
1.12
1.13
1.13.1
1.14
1.15
1.15.1
1.16
1.17
1.18
1.18.1
1.19
1.19.1
1.20
1.21
1.21.1
1.22
1.23
1.24
1.24.1
1.24.2
1.24.3
1.25
1.25.1
1.25.2
1.25.3
1.25.4
1.25.5
1.25.6
1.25.7
1.25.8