VDB
ALPINE-CVE-2019-18348
ALPINE-CVE-2019-18348
PUBLISHED
CVSS 6.099999904632568 MEDIUM
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
Risk Scores
CVSS v3.1
6.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.11 | python2 | 2.7.15-r1, 2.7.15-r0, 2.7.14-r4 |
| Alpine:v3.9 | python2 | 2.7.15-r0, 2.7.9-r4, 2.7.9-r3 |
| Alpine:v3.10 | python2 | 0, 2.6.1-r1, 2.6.3-r0 |
| Alpine:v3.12 | python2 | 2.7.9-r4, 2.7.9-r3, 2.7.9-r2 |
Timeline
- Oct 23, 2019 CVE Published
- Nov 19, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch