GHSA-r64q-w8jr-g9qp

Suggest an improvement
Source
https://github.com/advisories/GHSA-r64q-w8jr-g9qp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r64q-w8jr-g9qp/GHSA-r64q-w8jr-g9qp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r64q-w8jr-g9qp
Aliases
Published
2022-05-13T01:09:23Z
Modified
2024-11-18T23:01:35.378516Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Improper Neutralization of CRLF Sequences in urllib3 library for Python
Details

In the urllib3 library through 1.24.2 for Python, CRLF injection is possible if the attacker controls the request parameter.

References

Affected packages

PyPI / urllib3

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.24.3

Affected versions

0.*

0.2
0.3
0.3.1
0.4.0
0.4.1

1.*

1.0
1.0.1
1.0.2
1.1
1.2
1.2.1
1.2.2
1.3
1.4
1.5
1.6
1.7
1.7.1
1.8
1.8.2
1.8.3
1.9
1.9.1
1.10
1.10.1
1.10.2
1.10.3
1.10.4
1.11
1.12
1.13
1.13.1
1.14
1.15
1.15.1
1.16
1.17
1.18
1.18.1
1.19
1.19.1
1.20
1.21
1.21.1
1.22
1.23
1.24
1.24.1
1.24.2

Database specific

{
    "last_known_affected_version_range": "<= 1.24.2"
}