CVE-2020-26137 — MEDIUM (6.5)

Q: How severe is CVE-2020-26137?

CVE-2020-26137 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26137?

Check the references section above for vendor advisories and patch information. Affected products include: Python Urllib3, Canonical Ubuntu Linux, Debian Debian Linux, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Zfs Storage Appliance Kit.

Vulnerability Description

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Python	Urllib3	< 1.25.9
Canonical	Ubuntu Linux	16.04
Debian	Debian Linux	9.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	22.2.0
Oracle	Zfs Storage Appliance Kit	8.8

Related Weaknesses (CWE)

CWE-74

References

https://bugs.python.org/issue39603Issue TrackingVendor Advisory
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b43PatchThird Party Advisory
https://github.com/urllib3/urllib3/pull/1800PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://usn.ubuntu.com/4570-1/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://bugs.python.org/issue39603Issue TrackingVendor Advisory
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b43PatchThird Party Advisory
https://github.com/urllib3/urllib3/pull/1800PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://usn.ubuntu.com/4570-1/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-26137?

CVE-2020-26137 is a vulnerability with a CVSS score of 6.5 (MEDIUM). urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: thi...

How severe is CVE-2020-26137?

CVE-2020-26137 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26137?

Check the references section above for vendor advisories and patch information. Affected products include: Python Urllib3, Canonical Ubuntu Linux, Debian Debian Linux, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Zfs Storage Appliance Kit.