CVE-2022-0391

HIGH

Python <3.10.0b1-3.6.14 - Code Injection

Title source: llm

Description

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

References (9)

Scores

CVSS v3 7.5
EPSS 0.0132
EPSS Percentile 79.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE
CWE-74
Status published

Affected Products (18)

python/python < 3.6.14
python/python
python/python
python/python
python/python
python/python
python/python
netapp/active_iq_unified_manager
netapp/hci
netapp/management_services_for_element_software
netapp/ontap_select_deploy_administration_utility
netapp/solidfire\,_enterprise_sds_\&_hci_storage_node
netapp/hci_compute_node
fedoraproject/fedora
fedoraproject/fedora
... and 3 more

Timeline

Published Feb 09, 2022
Tracked Since Feb 18, 2026