#VU18829 CRLF injection in Python - CVE-2019-9740
Vulnerability identifier: #VU18829
Vulnerability risk: Medium
CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-9740
CWE-ID:
CWE-93
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Python
Universal components / Libraries /
Scripting languages
Vendor: Python.org
Description
The vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL after the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Python: 2.7.0 - 2.7.2150, 3.0.0 - 3.0.1, 3.1.0 - 3.1.2150, 3.2.0 - 3.2.2150, 3.3 - 3.3.7, 3.4 - 3.4.10, 3.5 - 3.5.7, 3.6 - 3.6.8, 3.7 - 3.7.3, 3.8
External links
https://www.securityfocus.com/bid/107466
https://access.redhat.com/errata/RHSA-2019:1260
https://bugs.python.org/issue36276
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
