CVE-2019-11236
Aliases:GHSA-r64q-w8jr-g9qpPYSEC-2019-132
Advisory lineage Upstream: 0 Downstream: 30
Modified
Published: 15 Apr 2019, 00:00
Last modified:04 Aug 2024, 22:48
Vulnerability Summary
Overall Risk (default)
medium
35/100 CVSS Score
6.1 MEDIUM
v3.0 (nvd)
EPSS Score
0.57% LOW
1% probability -0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
15 Apr 2019, 00:00
Published
Vulnerability first disclosed
04 Aug 2024, 22:48
Last Modified
Vulnerability information updated
Description
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVSS Metrics
- v4.0•MEDIUM•Score: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
- v3.0•MEDIUM•Score: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 0.57%• Percentile: 69%
Techniques & Countermeasures
- CWE-93•Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Affected Systems
- PyPI•urllib3
< 1.24.3
- python•urllib3
≤ 1.24.2
References (29)
- https://github.com/urllib3/urllib3/issues/1553
- https://usn.ubuntu.com/3990-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
- https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
- https://usn.ubuntu.com/3990-2/
- https://access.redhat.com/errata/RHSA-2019:2272
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
- https://access.redhat.com/errata/RHSA-2019:3590
- https://access.redhat.com/errata/RHSA-2019:3335
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
- https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-11236
- https://usn.ubuntu.com/3990-2
- https://usn.ubuntu.com/3990-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72
- https://github.com/urllib3/urllib3
- https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2019-132.yaml
- https://github.com/advisories/GHSA-r64q-w8jr-g9qp
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/