CVE-2020-26116

UNKNOWN

Published 2020-09-27T00:00:00

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2020-26116. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-w7gf-rpqw-gx4f

Advisory Details

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-26116

WEB https://bugs.python.org/issue39603

WEB https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html

WEB https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV

WEB https://python-security.readthedocs.io/vuln/http-header-injection-method.html

WEB https://security.gentoo.org/glsa/202101-18

WEB https://security.netapp.com/advisory/ntap-20201023-0001

WEB https://usn.ubuntu.com/4581-1

WEB https://www.oracle.com/security-alerts/cpuoct2021.html

WEB http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html

Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: June 29, 2022

References

https://python-security.readthedocs.io/vuln/http-header-injection-method.html

https://bugs.python.org/issue39603

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/

https://usn.ubuntu.com/4581-1/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/

https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html

https://security.gentoo.org/glsa/202101-18

https://www.oracle.com/security-alerts/cpuoct2021.html

https://security.netapp.com/advisory/ntap-20201023-0001/

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

HackerOne Reports

'net/http': HTTP Header Injection in the set_content_type method High

sighook

Ruby

CRLF Injection

View Report

Published: 2020-09-27T00:00:00

Last Modified: 2024-08-04T15:49:07.209Z

Copied to clipboard!

CVE-2020-26116

Expert Analysis

Description

Available Exploits

Related News

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

HackerOne Reports

Request Analysis

What to expect

Request Received!