CVE-2019-11236 Information

Description

In the urllib3 library through 1.24.1 for Python CRLF injection is possible if the attacker controls the request parameter.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html https://access.redhat.com/errata/RHSA-2019:2272 https://access.redhat.com/errata/RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3590 https://github.com/urllib3/urllib3/issues/1553 https://github.com/urllib3/urllib3/issues/1553 https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html [debian-lts-announce] 20190620 [SECURITY] [DLA 1828-1] python-urllib3 security update https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/ https://usn.ubuntu.com/3990-1/ https://usn.ubuntu.com/3990-2/ In the urllib3 library through 1.24.1 for Python CRLF injection is possible if the attacker controls the request parameter. cpe:2.3:a:python:urllib3::::::::

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1