GHSA-r64q-w8jr-g9qp

Source

https://github.com/advisories/GHSA-r64q-w8jr-g9qp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r64q-w8jr-g9qp/GHSA-r64q-w8jr-g9qp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r64q-w8jr-g9qp

Aliases

Published

2022-05-13T01:09:23Z

Modified

2024-11-18T23:01:35.378516Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Improper Neutralization of CRLF Sequences in urllib3 library for Python

Details

In the urllib3 library through 1.24.2 for Python, CRLF injection is possible if the attacker controls the request parameter.

Database specific

{
    "nvd_published_at": "2019-04-15T15:29:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2022-06-28T15:02:18Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-93"
    ]
}

References

Affected packages

PyPI / urllib3

Package

Name: urllib3; View open source insights on deps.dev
Purl: pkg:pypi/urllib3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.24.3

Affected versions

0.*

0.2

0.3

0.3.1

0.4.0

0.4.1

1.*

1.0

1.0.1

1.0.2

1.1

1.2

1.2.1

1.2.2

1.3

1.4

1.5

1.6

1.7

1.7.1

1.8

1.8.2

1.8.3

1.9

1.9.1

1.10

1.10.1

1.10.2

1.10.3

1.10.4

1.11

1.12

1.13

1.13.1

1.14

1.15

1.15.1

1.16

1.17

1.18

1.18.1

1.19

1.19.1

1.20

1.21

1.21.1

1.22

1.23

1.24

1.24.1

1.24.2

Database specific

last_known_affected_version_range

"<= 1.24.2"