Improper Encoding or Escaping of Output

Affecting python2.7 package, versions <2.7.17-1~18.04ubuntu1.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Remediation

Upgrade python2.7 to version or higher.

References

CVSS Score

7.2
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVE
CVE-2020-26116
CWE
CWE-116
Snyk ID
SNYK-UBUNTU1804-PYTHON27-1018698
Disclosed
27 Sep, 2020
Published
14 Oct, 2020