CVE-2019-11236
MEDIUMurllib3 < 1.24.2 - CRLF Injection via Request Parameter
Title source: llmDescription
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
References (15)
Core 15
Core References
Exploit, Issue Tracking, Third Party Advisory
https://github.com/urllib3/urllib3/issues/1553
Vendor Advisory vendor-advisory
https://usn.ubuntu.com/3990-1/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
Vendor Advisory vendor-advisory
https://usn.ubuntu.com/3990-2/
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2272
Mailing List vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
Mailing List vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3590
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3335
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
Scores
CVSS v3
6.1
EPSS
0.0206
EPSS Percentile
78.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-93
Status
published
Products (2)
pypi/urllib3
0 - 1.24.3PyPI
python/urllib3
< 1.24.2
Published
Apr 15, 2019
Tracked Since
Feb 18, 2026