Vulnerability Description
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Httplib2 Project | Httplib2 | < 0.18.0 |
| Fedoraproject | Fedora | 31 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e9886587PatchThird Party Advisory
- https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pqPatchThird Party Advisory
- https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb
- https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b7221
- https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd
- https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201
- https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c
- https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8
- https://lists.debian.org/debian-lts-announce/2020/06/msg00000.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e9886587PatchThird Party Advisory
- https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pqPatchThird Party Advisory
- https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb
- https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b7221
FAQ
What is CVE-2020-11078?
CVE-2020-11078 is a vulnerability with a CVSS score of 6.8 (MEDIUM). In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. Th...
How severe is CVE-2020-11078?
CVE-2020-11078 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11078?
Check the references section above for vendor advisories and patch information. Affected products include: Httplib2 Project Httplib2, Fedoraproject Fedora, Debian Debian Linux.