CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type

GIT

Repo

https://github.com/python/cpython

Events

Introduced

2e789a1f1d84b343a996e8654590703b5fbdd441

Fixed

ac39a516017c80993309f803441c8ee97c44838e

Introduced

5c4568a05a0a62b5947c55f68f9f2ecfb90a4f12

Fixed

201c8f79450628241574fba940e08107178dc3a5

Introduced

1bf9cc509326bc42cd8cb1650eb9bf64550d817e

Fixed

e09359112e250268eca209355abeb17abf822486

Database specific

{
    "versions": [
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.8"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "fixed": "3.6.9"
        },
        {
            "introduced": "3.7.0"
        },
        {
            "fixed": "3.7.4"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9947.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "2.7.0"
            },
            {
                "fixed": "2.7.17"
            }
        ]
    }
]