CVE-2020-11078
MEDIUMhttplib2 < 0.18.0 - HTTP Request Smuggling via CRLF Injection
Title source: llmDescription
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
References (11)
Core 11
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
Patch, Third Party Advisory x_refsource_misc
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E
Scores
CVSS v3
6.8
EPSS
0.0259
EPSS Percentile
83.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-93
CWE-74
Status
published
Products (5)
debian/debian_linux
8.0
fedoraproject/fedora
31
fedoraproject/fedora
32
httplib2_project/httplib2
< 0.18.0
pypi/httplib2
0 - 0.18.0PyPI
Published
May 20, 2020
Tracked Since
Feb 18, 2026