Description
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
References (9)
Core 9
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-02
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
Exploit, Issue Tracking, Patch, Vendor Advisory
https://bugs.python.org/issue43882
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220225-0009/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Scores
CVSS v3
7.5
EPSS
0.0121
EPSS Percentile
79.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (13)
fedoraproject/fedora
34
fedoraproject/fedora
35
netapp/active_iq_unified_manager
netapp/hci
netapp/hci_compute_node
netapp/management_services_for_element_software
netapp/ontap_select_deploy_administration_utility
netapp/solidfire\,_enterprise_sds_\&_hci_storage_node
oracle/http_server
12.2.1.3.0
oracle/http_server
12.2.1.4.0
... and 3 more
Published
Feb 09, 2022
Tracked Since
Feb 18, 2026