VDB
BIT-python-min-2020-26116
BIT-python-min-2020-26116
PUBLISHED
CVSS 7.199999809265137 HIGH
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
Risk Scores
CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | python-min | 3.0.0, 3.6.0, 3.7.0 |
Exploit Intelligence
- zephyr-crosstool-arm-grype.html (github-poc)
Timeline
- Jan 16, 2025 CVE Published
- Aug 11, 2025 CVE Updated
References
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html url
- https://bugs.python.org/issue39603 url
- https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html url
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/ url
- https://python-security.readthedocs.io/vuln/http-header-injection-method.html url
- https://security.gentoo.org/glsa/202101-18 url
- https://security.netapp.com/advisory/ntap-20201023-0001/ url
- https://usn.ubuntu.com/4581-1/ url
- https://www.oracle.com/security-alerts/cpuoct2021.html url
- https://nvd.nist.gov/vuln/detail/CVE-2020-26116 url