CVE-2020-26137

MEDIUM

Python Urllib3 < 1.25.9 - Injection

Title source: rule

Description

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References (8)

[Issue Tracking, Vendor Advisory] https://bugs.python.org/issue39603

[Patch, Third Party Advisory] https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

View Patch ZIP pw:eip

[Patch, Third Party Advisory] https://github.com/urllib3/urllib3/pull/1800

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html

[Third Party Advisory] https://usn.ubuntu.com/4570-1/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 6.5

EPSS 0.0026

EPSS Percentile 48.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-74

Status published

Affected Products (8)

python/urllib3 < 1.25.9

canonical/ubuntu_linux

debian/debian_linux

oracle/communications_cloud_native_core_network_function_cloud_native_environment

oracle/zfs_storage_appliance_kit

pypi/urllib3 < 1.25.9PyPI

Timeline

Published Sep 30, 2020

Tracked Since Feb 18, 2026