CVE-2020-26116

Advisory lineage Upstream: 0 Downstream: 34

Downstream

DEBIAN-CVE-2020-26116 DLA-2456-1 DLA-3432-1 MGASA-2020-0451 OPENSUSE-SU-2020:1859-1 OPENSUSE-SU-2020:1988-1

Modified

Published: 27 Sept 2020, 00:00

Last modified:04 Aug 2024, 15:49

Vulnerability Summary

Overall Risk (default)

medium

39/100

CVSS Score

7.2 HIGH

v3.1 (nvd)

EPSS Score

0.9% LOW

1% probability -0.08%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

27 Sept 2020, 00:00

Published

Vulnerability first disclosed

04 Aug 2024, 15:49

Last Modified

Vulnerability information updated

Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

CVSS Metrics

v3.1•HIGH•Score: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
v2.0•MEDIUM•Score: 6.4AV:N/AC:L/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.90%• Percentile: 76%

Techniques & Countermeasures

CWE-74•Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Systems

canonical•ubuntu_linux
12.04 | 14.04 | 16.04 | 18.04
debian•debian_linux
9.0
fedoraproject•fedora
31 | 32 | 33
netapp•hci_storage_node
na
netapp•solidfire
na
opensuse•leap
15.1
oracle•zfs_storage_appliance_kit
8.8
python•python
≥ 3.0.0, < 3.5.10 | ≥ 3.6.0, < 3.6.12 | ≥ 3.7.0, < 3.7.9 | ≥ 3.8.0, < 3.8.5