DEBIAN-CVE-2020-26137

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2020-26137

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2020-26137.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2020-26137

Upstream

CVE-2020-26137

Published

2020-09-30T18:15:26Z

Modified

2025-09-25T02:16:45.846461Z

Summary

[none]

Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References

https://security-tracker.debian.org/tracker/CVE-2020-26137

Affected packages

Debian:11 / python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/debian/python-urllib3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/debian/python-urllib3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/debian/python-urllib3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/debian/python-urllib3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}