CVE-2019-9740
python: CRLF injection via the query part of the url passed to urlopen()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r
(specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Se detectó un problema en urllib2 en Python 2.x hasta 2.7.16 y urllib en Python 3.x hasta 3.7.3. La inyección de CRLF es posible si el atacante controla un parámetro url, como lo demuestra el primer argumento de urllib.request.urlopen con \r
(específicamente en la cadena de consulta después de un carácter ?) Seguido por un encabezado HTTP o un comando Redis. Esto está corregido en las versiones: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include bypass and null pointer vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-12 CVE Reserved
- 2019-03-13 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2025-06-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CAPEC
References (31)
URL | Tag | Source |
---|---|---|
http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html | Third Party Advisory |
|
http://www.openwall.com/lists/oss-security/2021/02/04/2 | Mailing List |
|
http://www.securityfocus.com/bid/107466 | Third Party Advisory | |
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html | Mailing List |
|
https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html | Mailing List |
|
https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html | Mailing List |
|
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html | Mailing List |
|
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html | Mailing List |
|
https://seclists.org/bugtraq/2019/Oct/29 | Mailing List |
|
https://security.netapp.com/advisory/ntap-20190619-0005 | Third Party Advisory |
|
https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
|
URL | Date | SRC |
---|---|---|
https://bugs.python.org/issue36276 | 2024-08-04 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 2.0 < 2.7.17 Search vendor "Python" for product "Python" and version " >= 2.0 < 2.7.17" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.5.0 < 3.5.8 Search vendor "Python" for product "Python" and version " >= 3.5.0 < 3.5.8" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.6.0 < 3.6.9 Search vendor "Python" for product "Python" and version " >= 3.6.0 < 3.6.9" | - |
Affected
| ||||||
Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | >= 3.7.0 < 3.7.4 Search vendor "Python" for product "Python" and version " >= 3.7.0 < 3.7.4" | - |
Affected
|