VDB
CISA-2022-0391
CISA-2022-0391
PUBLISHED
CVSS 7.5 HIGH
Reported by redhat · Published February 9, 2022
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | python | python 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14 |
| n/a | python | python 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14, * |
Timeline
- Feb 9, 2022 CVE Published
- Dec 17, 2025 CVE Updated
- Apr 26, 2026 Security Advisory
References
- FEDORA-2022-ef99a016f6 vendor-advisory
- FEDORA-2022-18ad73aba6 vendor-advisory
- GLSA-202305-02 vendor-advisory
- [debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update mailing-list
- https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html url
- https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html url