Improper Encoding or Escaping of Output

Affecting python3.7 package, versions *

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Remediation

There is no fixed version for python3.7.

References

CVSS Score

7.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVE
CVE-2020-26116
CWE
CWE-116
Snyk ID
SNYK-DEBIAN10-PYTHON37-1013422
Disclosed
27 Sep, 2020
Published
27 Sep, 2020