CVE-2020-11078 – httplib2

Package

Manager: pip
Name: httplib2
Vulnerable Version: >=0 <0.18.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

EPSS: 0.03194 pctl0.86489

Details

CRLF injection in httplib2 ### Impact Attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. ### Patches Problem has been fixed in 0.18.0 Space, CR, LF characters are now quoted before any use. This solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib. ### Workarounds Create URI with `urllib.parse` family functions: `urlencode`, `urlunsplit`. ```diff user_input = " HTTP/1.1\r\ninjected: attack\r\nignore-http:" -uri = "https://api.server/?q={}".format(user_input) +uri = urllib.parse.urlunsplit(("https", "api.server", "/v1", urllib.parse.urlencode({"q": user_input}), "")) http.request(uri) ``` ### References https://cwe.mitre.org/data/definitions/93.html https://docs.python.org/3/library/urllib.parse.html Thanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification. ### For more information If you have any questions or comments about this advisory: * Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new) * Email [current maintainer at 2020-05](mailto:temotor@gmail.com)

Metadata

Created: 2020-05-20T15:55:47Z
Modified: 2024-09-20T21:55:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-gg84-qgv9-w4pq/GHSA-gg84-qgv9-w4pq.json
CWE IDs: ["CWE-93"]
Alternative ID: GHSA-gg84-qgv9-w4pq
Finding: F184
Auto approve: 1