GHSA-wqvq-5m8c-6g24

Source

https://github.com/advisories/GHSA-wqvq-5m8c-6g24

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-wqvq-5m8c-6g24/GHSA-wqvq-5m8c-6g24.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-wqvq-5m8c-6g24

Aliases

Published

2021-06-18T18:46:43Z

Modified

2024-11-18T23:15:01.720801Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

CRLF injection in urllib3

Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Database specific

{
    "cwe_ids": [
        "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-17T22:13:47Z",
    "severity": "MODERATE",
    "nvd_published_at": "2020-09-30T18:15:00Z"
}

References

Affected packages

PyPI / urllib3

Package

Name: urllib3; View open source insights on deps.dev
Purl: pkg:pypi/urllib3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.9

Affected versions

0.*

0.2

0.3

0.3.1

0.4.0

0.4.1

1.*

1.0

1.0.1

1.0.2

1.1

1.2

1.2.1

1.2.2

1.3

1.4

1.5

1.6

1.7

1.7.1

1.8

1.8.2

1.8.3

1.9

1.9.1

1.10

1.10.1

1.10.2

1.10.3

1.10.4

1.11

1.12

1.13

1.13.1

1.14

1.15

1.15.1

1.16

1.17

1.18

1.18.1

1.19

1.19.1

1.20

1.21

1.21.1

1.22

1.23

1.24

1.24.1

1.24.2

1.24.3

1.25

1.25.1

1.25.2

1.25.3

1.25.4

1.25.5

1.25.6

1.25.7

1.25.8