Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Required

Privileges Required

None

Attack Vector

Network

0

CVE-2019-9740

Disclosure Date: March 13, 2019 •

CVE-2019-9740 CVSS v3 Base Score: 6.1

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.1 Medium

Impact Score:

2.7

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

Vendors

python

Products

python

References

Canonical

CVE-2019-9740 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740)

BID-107466 (http://www.securityfocus.com/bid/107466)

Advisory

FEDORA-2019-1ffd6b6064 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4)

https://access.redhat.com/errata/RHSA-2019:1260

FEDORA-2019-ec26883852 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK)

https://security.netapp.com/advisory/ntap-20190619-0005

[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update (https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html)

[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update (https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html)

[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-2] python3.4 regression update (https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html)

FEDORA-2019-7723d4774a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU)

FEDORA-2019-7df59302e0 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL)

https://access.redhat.com/errata/RHSA-2019:2030

USN-4127-2 (https://usn.ubuntu.com/4127-2)

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html

USN-4127-1 (https://usn.ubuntu.com/4127-1)

20191021 [slackware-security] python (SSA:2019-293-01) (https://seclists.org/bugtraq/2019/Oct/29)

https://access.redhat.com/errata/RHSA-2019:3335

https://access.redhat.com/errata/RHSA-2019:3520

https://access.redhat.com/errata/RHSA-2019:3725

FEDORA-2019-b06ec6159b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX)

FEDORA-2019-d202cda4f8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V)

FEDORA-2019-57462fa10d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR)

GLSA-202003-26 (https://security.gentoo.org/glsa/202003-26)

[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update (https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html)

[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update (https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html)

FEDORA-2019-1ffd6b6064 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/)

FEDORA-2019-ec26883852 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/)

https://security.netapp.com/advisory/ntap-20190619-0005/

FEDORA-2019-7723d4774a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/)

FEDORA-2019-7df59302e0 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/)

USN-4127-2 (https://usn.ubuntu.com/4127-2/)

USN-4127-1 (https://usn.ubuntu.com/4127-1/)

FEDORA-2019-b06ec6159b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/)

FEDORA-2019-d202cda4f8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/)

FEDORA-2019-57462fa10d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/)

[oss-security] 20210204 [CVE-2020-15693, CVE-2020-15694] Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation (http://www.openwall.com/lists/oss-security/2021/02/04/2)

Miscellaneous

https://bugs.python.org/issue36276

http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html

https://www.oracle.com/security-alerts/cpujul2022.html

Rapid7

Technical Analysis