BIT-python-2022-0391

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/python/BIT-python-2022-0391.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-python-2022-0391
Aliases
Published
2024-03-06T11:05:40.083Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Database specific
{
    "cpes": [
        "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:python:python:3.10.0:alpha1:*:*:*:*:*:*",
        "cpe:2.3:a:python:python:3.10.0:alpha2:*:*:*:*:*:*",
        "cpe:2.3:a:python:python:3.10.0:alpha3:*:*:*:*:*:*",
        "cpe:2.3:a:python:python:3.10.0:alpha4:*:*:*:*:*:*",
        "cpe:2.3:a:python:python:3.10.0:alpha5:*:*:*:*:*:*",
        "cpe:2.3:a:python:python:3.10.0:alpha6:*:*:*:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / python

Package

Name
python
Purl
pkg:bitnami/python

Severity

  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.14
Introduced
3.7.0
Fixed
3.7.11
Introduced
3.8.0
Fixed
3.8.11
Introduced
3.9.0
Fixed
3.9.5
Type
SEMVER
Events
Introduced
3.10.0-alpha1
Last affected
3.10.0-alpha1
Introduced
3.10.0-alpha2
Last affected
3.10.0-alpha2
Introduced
3.10.0-alpha3
Last affected
3.10.0-alpha3
Introduced
3.10.0-alpha4
Last affected
3.10.0-alpha4
Introduced
3.10.0-alpha5
Last affected
3.10.0-alpha5
Introduced
3.10.0-alpha6
Last affected
3.10.0-alpha6