CVE-2020-26116 — HIGH (7.2)

Q: How severe is CVE-2020-26116?

CVE-2020-26116 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26116?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Fedoraproject Fedora, Canonical Ubuntu Linux, Netapp Solidfire, Netapp Hci Compute Node.

Vulnerability Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Python	Python	>= 3.0.0, < 3.5.10
Fedoraproject	Fedora	31
Canonical	Ubuntu Linux	12.04
Netapp	Solidfire	-
Netapp	Hci Compute Node	-
Netapp	Hci Storage Node	-
Debian	Debian Linux	9.0
Oracle	Zfs Storage Appliance Kit	8.8
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-74

References

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.htmlMailing ListThird Party Advisory
https://bugs.python.org/issue39603ExploitIssue TrackingPatch
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://python-security.readthedocs.io/vuln/http-header-injection-method.htmlPatchThird Party Advisory
https://security.gentoo.org/glsa/202101-18Third Party Advisory
https://security.netapp.com/advisory/ntap-20201023-0001/Third Party Advisory
https://usn.ubuntu.com/4581-1/Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2020-26116?

CVE-2020-26116 is a vulnerability with a CVSS score of 7.2 (HIGH). http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inse...

How severe is CVE-2020-26116?

CVE-2020-26116 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26116?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Fedoraproject Fedora, Canonical Ubuntu Linux, Netapp Solidfire, Netapp Hci Compute Node.