CVE-2020-26137 – urllib3

Package

Manager: pip
Name: urllib3
Vulnerable Version: >=0 <1.25.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00245 pctl0.47675

Details

CRLF injection in urllib3 urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of `putrequest()`. NOTE: this is similar to CVE-2020-26116.

Metadata

Created: 2021-06-18T18:46:43Z
Modified: 2024-11-18T22:42:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-wqvq-5m8c-6g24/GHSA-wqvq-5m8c-6g24.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-wqvq-5m8c-6g24
Finding: F184
Auto approve: 1