CVE-2019-11236

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
pythonurllib3
𝑥
≤ 1.24.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-urllib3
bookworm
1.26.12-1
fixed
bullseye
1.26.5-1~exp1
fixed
sid
2.0.7-2
fixed
trixie
2.0.7-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-urllib3
bionic
Fixed 1.22-1ubuntu0.18.04.1
released
cosmic
Fixed 1.22-1ubuntu0.18.10.1
released
disco
Fixed 1.24.1-1ubuntu0.1
released
trusty
Fixed 1.7.1-1ubuntu4.1+esm1
released
xenial
Fixed 1.13.1-2ubuntu0.16.04.3
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
aws-cli-py36
suse enterprise server 12 SP3
1.19.9-6.3.15
fixed
libpython3_6m1_0
suse enterprise server 12 SP3
3.6.15-6.61.5
fixed
python-urllib3
suse enterprise sap 12
1.22-3.14.1
fixed
suse enterprise sap 12 SP3
1.22-3.14.1
fixed
suse enterprise sap 12 SP4
1.22-3.14.1
fixed
suse enterprise sap 12 SP5
1.22-3.14.1
fixed
suse enterprise server 12
1.22-3.14.1
fixed
suse enterprise server 12 SP3
1.22-7.7.1
fixed
suse enterprise server 12 SP4
1.22-3.14.1
fixed
suse enterprise server 12 SP5
1.22-3.14.1
fixed
python2-urllib3
suse enterprise desktop 15
1.22-6.4.1
fixed
suse enterprise sap 15
1.22-6.4.1
fixed
suse enterprise server 15
1.22-6.4.1
fixed
python3-urllib3
suse enterprise desktop 15
1.22-6.4.1
fixed
suse enterprise sap 12
1.22-3.14.1
fixed
suse enterprise sap 12 SP3
1.22-3.14.1
fixed
suse enterprise sap 12 SP4
1.22-3.14.1
fixed
suse enterprise sap 12 SP5
1.22-3.14.1
fixed
suse enterprise sap 15
1.22-6.4.1
fixed
suse enterprise server 12
1.22-3.14.1
fixed
suse enterprise server 12 SP3
1.22-3.14.1
fixed
suse enterprise server 12 SP4
1.22-3.14.1
fixed
suse enterprise server 12 SP5
1.22-3.14.1
fixed
suse enterprise server 15
1.22-6.4.1
fixed
python311-urllib3
suse enterprise desktop 15 SP6
2.0.7-150400.7.11.1
fixed
suse enterprise sap 15 SP6
2.0.7-150400.7.11.1
fixed
suse enterprise server 15 SP6
2.0.7-150400.7.11.1
fixed
python311-urllib3_1
suse enterprise desktop 15 SP6
1.26.18-150600.1.4
fixed
suse enterprise sap 15 SP6
1.26.18-150600.1.4
fixed
suse enterprise server 15 SP6
1.26.18-150600.1.4
fixed
python36
suse enterprise server 12 SP3
3.6.15-6.61.6
fixed
python36-PyYAML
suse enterprise server 12 SP3
5.3.1-6.5.12
fixed
python36-appdirs
suse enterprise server 12 SP3
1.4.3-6.3.8
fixed
python36-asn1crypto
suse enterprise server 12 SP3
0.24.0-6.3.16
fixed
python36-base
suse enterprise server 12 SP3
3.6.15-6.61.5
fixed
python36-boto3
suse enterprise server 12 SP3
1.17.9-6.3.11
fixed
python36-botocore
suse enterprise server 12 SP3
1.20.9-6.3.11
fixed
python36-certifi
suse enterprise server 12 SP3
2018.1.18-6.3.15
fixed
python36-cffi
suse enterprise server 12 SP3
1.11.5-6.3.18
fixed
python36-chardet
suse enterprise server 12 SP3
3.0.4-6.3.15
fixed
python36-colorama
suse enterprise server 12 SP3
0.4.4-6.3.15
fixed
python36-cryptography
suse enterprise server 12 SP3
2.8-6.3.17
fixed
python36-curses
suse enterprise server 12 SP3
3.6.15-6.61.6
fixed
python36-dbm
suse enterprise server 12 SP3
3.6.15-6.61.6
fixed
python36-devel
suse enterprise server 12 SP3
3.6.15-6.61.5
fixed
python36-docutils
suse enterprise server 12 SP3
0.14-6.3.8
fixed
python36-idle
suse enterprise server 12 SP3
3.6.15-6.61.6
fixed
python36-idna
suse enterprise server 12 SP3
2.6-6.5.15
fixed
python36-jmespath
suse enterprise server 12 SP3
0.9.3-6.3.14
fixed
python36-packaging
suse enterprise server 12 SP3
17.1-6.6.8
fixed
python36-ply
suse enterprise server 12 SP3
3.10-6.3.8
fixed
python36-ply-doc
suse enterprise server 12 SP3
3.10-6.3.8
fixed
python36-py
suse enterprise server 12 SP3
1.8.1-6.3.15
fixed
python36-pyOpenSSL
suse enterprise server 12 SP3
17.1.0-6.3.16
fixed
python36-pyasn1
suse enterprise server 12 SP3
0.1.9-6.3.18
fixed
python36-pycparser
suse enterprise server 12 SP3
2.10-6.3.9
fixed
python36-pyparsing
suse enterprise server 12 SP3
2.4.7-6.3.9
fixed
python36-pyparsing-doc
suse enterprise server 12 SP3
2.4.7-6.3.9
fixed
python36-python-dateutil
suse enterprise server 12 SP3
2.7.3-6.3.13
fixed
python36-requests
suse enterprise server 12 SP3
2.24.0-6.3.15
fixed
python36-rsa
suse enterprise server 12 SP3
3.4.2-6.3.15
fixed
python36-s3transfer
suse enterprise server 12 SP3
0.3.3-6.3.11
fixed
python36-setuptools
suse enterprise server 12 SP3
44.1.1-9.11.1
fixed
python36-setuptools-test
suse enterprise server 12 SP3
44.1.1-6.7.4
fixed
python36-setuptools-wheel
suse enterprise server 12 SP3
44.1.1-6.7.3
fixed
python36-simplejson
suse enterprise server 12 SP3
3.8.2-6.3.16
fixed
python36-six
suse enterprise server 12 SP3
1.14.0-6.7.3
fixed
python36-six-doc
suse enterprise server 12 SP3
1.14.0-6.7.6
fixed
python36-testsuite
suse enterprise server 12 SP3
3.6.15-6.61.5
fixed
python36-tk
suse enterprise server 12 SP3
3.6.15-6.61.6
fixed
python36-tools
suse enterprise server 12 SP3
3.6.15-6.61.5
fixed
python36-urllib3
suse enterprise server 12 SP3
1.25.10-6.3.13
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
platform-python-pip
RHEL 8
0:9.0.3-16.el8
fixed
python-urllib3
RHEL 7
0:1.10.2-7.el7
fixed
python-virtualenv
RHEL 7
0:15.1.0-4.el7_8
fixed
python3-pip
RHEL 7
0:9.0.3-7.el7_8
fixed
RHEL 8
0:9.0.3-16.el8
fixed
python3-pip-wheel
RHEL 8
0:9.0.3-16.el8
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
https://access.redhat.com/errata/RHSA-2019:2272
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3590
https://github.com/urllib3/urllib3/issues/1553
https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
https://usn.ubuntu.com/3990-1/
https://usn.ubuntu.com/3990-2/
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
https://access.redhat.com/errata/RHSA-2019:2272
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3590
https://github.com/urllib3/urllib3/issues/1553
https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
https://usn.ubuntu.com/3990-1/
https://usn.ubuntu.com/3990-2/