CVE-2019-9740 — MEDIUM (6.1)

Q: How severe is CVE-2019-9740?

CVE-2019-9740 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-9740?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python.

Vulnerability Description

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Python	Python	>= 2.0, < 2.7.17

Related Weaknesses (CWE)

CWE-93

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-UThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2021/02/04/2Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/107466Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:1260Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2030Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3335Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3520Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3725Third Party Advisory
https://bugs.python.org/issue36276ExploitIssue TrackingVendor Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00023.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00026.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2019-9740?

CVE-2019-9740 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the firs...

How severe is CVE-2019-9740?

CVE-2019-9740 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-9740?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python.