Improper Neutralization of CRLF Sequences ('CRLF Injection')

Affecting python-urllib3 package, versions debian:10: * || debian:8: <1.9.1-3+deb8u1 || debian:9: * || debian:unstable: * || ubuntu:14.04: <1.7.1-1ubuntu4.1+esm1 || ubuntu:16.04: <1.13.1-2ubuntu0.16.04.3 || ubuntu:18.04: <1.22-1ubuntu0.18.04.1 || ubuntu:18.10: <1.22-1ubuntu0.18.10.1

Do your applications use this vulnerable package? Test your applications

Overview

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

References

CVSS Score

6.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE
CVE-2019-11236
CWE
CWE-93
Snyk ID
SNYK-LINUX-PYTHONURLLIB3-443430
Disclosed
15 Apr, 2019
Published
15 Apr, 2019