Arbitrary Code Injection

Affecting python2 package, versions <2.7.18-r0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Arbitrary Code Injection. An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

Remediation

Upgrade python2 to version or higher.

References

CVSS Score

6.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE
CVE-2019-18348
CWE
CWE-74
Snyk ID
SNYK-ALPINE39-PYTHON2-587822
Disclosed
23 Oct, 2019
Published
21 Jul, 2020