PYSEC-2020-148 — Vulnetix

PYSEC-2020-148 PUBLISHED

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Affected Products

Vendor	Product	Versions
PyPI	urllib3	0, 0, 0.2

Timeline

Sep 30, 2020 CVE Published
Nov 8, 2023 CVE Updated

References

https://bugs.python.org/issue39603 url
https://github.com/advisories/GHSA-wqvq-5m8c-6g24 advisory
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b fix
https://github.com/urllib3/urllib3/pull/1800 fix
https://usn.ubuntu.com/4570-1/ advisory

Open in Interactive Console →