FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- CRLF injection via the host part of the url passed to urlopen()

Affected packages
python27 < 2.7.18
python38 < 3.8.3

Details

VuXML ID ca595a25-91d8-11ea-b470-080027846a02
Discovery 2019-10-24
Entry 2020-05-09

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.

References

CVE Name CVE-2019-18348
URL https://bugs.python.org/issue38576
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348