Fluid Attacks Database

Description

In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-httplib2	>=0 <0.18.1-1	0.18.1-1
pypi	httplib2	>=0 <0.18.0	0.18.0
debian 14	python-httplib2	>=0 <0.18.1-1	0.18.1-1
debian 13	python-httplib2	>=0 <0.18.1-1	0.18.1-1
debian 11	python-httplib2	>=0 <0.18.1-1	0.18.1-1
rpm rhel8	python-httplib2	-	-
rpm rhel7	fence-agents	<0:4.2.1-41.el7_9.2	0:4.2.1-41.el7_9.2
rpm rhel7	resource-agents	<0:4.1.1-61.el7_9.4	0:4.1.1-61.el7_9.4
rpm rhel8	resource-agents	<0:4.1.1-68.el8	0:4.1.1-68.el8

Aliases

1. CVE-2020-110782. NVD-2020-110783. OSV-DEBIAN-2020-110784. OSV-2020-110785. GHSA-gg84-qgv9-w4pq6. GCVE-2020-110787. SECURITY-TRACKER-CVE-2020-110788. lists.debian.org

References

1. https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq2. https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e3. https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2020-46.yaml4. https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E5. https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E6. https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E7. https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E8. https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E9. https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E10. https://lists.fedoraproject.org/archives/list/[email protected]/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J11. https://lists.fedoraproject.org/archives/list/[email protected]/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.