CVE-2020-26116

HIGH

Python 3.x < 3.5.10, 3.6.x < 3.6.12, 3.7.x < 3.7.9, 3.8.x < 3.8.5 - HTTP Header Injection via HTTPConnection.request

Title source: llm
STIX 2.1

Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4581-1/
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202101-18
Exploit, Issue Tracking, Patch, Vendor Advisory
https://bugs.python.org/issue39603

Scores

CVSS v3 7.2
EPSS 0.0090
EPSS Percentile 76.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

CWE
CWE-74
Status published
Products (13)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
debian/debian_linux 9.0
fedoraproject/fedora 31
fedoraproject/fedora 32
fedoraproject/fedora 33
netapp/hci_storage_node
netapp/solidfire
... and 3 more
Published Sep 27, 2020
Tracked Since Feb 18, 2026