CVE-2020-26137

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Configurations

Configuration 1 (hide)

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-09-30 18:15

Updated : 2024-11-21 05:19


NVD link : CVE-2020-26137

Mitre link : CVE-2020-26137

CVE.ORG link : CVE-2020-26137


JSON object : View

Products Affected

debian

  • debian_linux

oracle

  • communications_cloud_native_core_network_function_cloud_native_environment
  • zfs_storage_appliance_kit

canonical

  • ubuntu_linux

python

  • urllib3
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')