CVE-2020-11078 Information

Feb 14, 2021 cve

Description

In httplib2 before version 0.18.0 an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Reference

https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@3Cissues.beam.apache.org3E https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@3Cissues.beam.apache.org3E https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@3Cissues.beam.apache.org3E https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@3Cissues.beam.apache.org3E https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@3Cissues.beam.apache.org3E https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@3Ccommits.allura.apache.org3E https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/ In httplib2 before version 0.18.0 an attacker controlling unescaped part of uri for [***httplib2.Http.request()***](httplib2.Http.request()`) could change request headers and body send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.8

Share on: