CVE-2019-11236

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
pythonurllib3
𝑥
≤ 1.24.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-urllib3
bullseye
1.26.5-1~exp1
fixed
bookworm
1.26.12-1
fixed
sid
2.0.7-2
fixed
trixie
2.0.7-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-urllib3
disco
Fixed 1.24.1-1ubuntu0.1
released
cosmic
Fixed 1.22-1ubuntu0.18.10.1
released
bionic
Fixed 1.22-1ubuntu0.18.04.1
released
xenial
Fixed 1.13.1-2ubuntu0.16.04.3
released
trusty
Fixed 1.7.1-1ubuntu4.1+esm1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
https://access.redhat.com/errata/RHSA-2019:2272
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3590
https://github.com/urllib3/urllib3/issues/1553
https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
https://usn.ubuntu.com/3990-1/
https://usn.ubuntu.com/3990-2/
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
https://access.redhat.com/errata/RHSA-2019:2272
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3590
https://github.com/urllib3/urllib3/issues/1553
https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
https://usn.ubuntu.com/3990-1/
https://usn.ubuntu.com/3990-2/