CVE-2020-26137

Advisory

Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
https://github.com/python/cpython/issues/83784
https://github.com/urllib3/urllib3/pull/1800

Affected package

Affected versions

Fixed versions

Vulnerability changelog

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.


MISC:https://bugs.python.org/issue39603: https://bugs.python.org/issue39603
MISC:https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
MISC:https://github.com/urllib3/urllib3/pull/1800: https://github.com/urllib3/urllib3/pull/1800

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
• https://bugs.python.org/issue39603
• https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
• https://github.com/urllib3/urllib3/pull/1800
• https://usn.ubuntu.com/4570-1/
• https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html