CVE-2020-26137

Name
CVE-2020-26137
Description
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugs.python.org/issue39603
Patch https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
Patch https://github.com/urllib3/urllib3/pull/1800
UBUNTU https://usn.ubuntu.com/4570-1/
MLIST https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
MISC https://www.oracle.com/security-alerts/cpuoct2021.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:* urllib3 >= None < 1.25.9

Vulnerable and fixed packages

Source package Branch Version Maintainer Status