CVE-2019-9740

13.03.2019, 03:29

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

CRLF Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 93%

Affected Products (NVD)

Vendor	Product	Version
python	python	2.0 ≤ 𝑥 < 2.7.17
python	python	3.5.0 ≤ 𝑥 < 3.5.8
python	python	3.6.0 ≤ 𝑥 < 3.6.9
python	python	3.7.0 ≤ 𝑥 < 3.7.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python2.7

bullseye

2.7.18-8+deb11u1

fixed

Ubuntu Releases

Ubuntu Product

Codename

python2.7

bionic	Fixed 2.7.15-4ubuntu4~18.04.1 released
cosmic	ignored
disco	Fixed 2.7.16-2ubuntu0.1 released
eoan	not-affected
focal	not-affected
groovy	not-affected
hirsute	not-affected
impish	not-affected
jammy	not-affected
kinetic	not-affected
lunar	dne
mantic	dne
noble	dne
trusty	Fixed 2.7.6-8ubuntu0.6+esm2 released
xenial	Fixed 2.7.12-1ubuntu0~16.04.8 released

python3.4

bionic	dne
cosmic	dne
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
trusty	Fixed 3.4.3-1ubuntu1~14.04.7+esm2 released
xenial	dne

python3.5

bionic	dne
cosmic	dne
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
trusty	Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1 released
xenial	Fixed 3.5.2-2ubuntu0~16.04.8 released

python3.6

bionic	Fixed 3.6.8-1~18.04.2 released
cosmic	ignored
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

python3.7

bionic	not-affected
cosmic	ignored
disco	Fixed 3.7.3-2ubuntu0.1 released
eoan	not-affected
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

openSUSE / SLES Releases

openSUSE Product

Release

aws-cli-py36

suse enterprise server 12 SP3

1.19.9-6.3.15

fixed

libpython3_6m1_0

suse enterprise server 12 SP3

3.6.15-6.61.5

fixed

python-urllib3

suse enterprise sap 12	1.22-3.14.1 fixed
suse enterprise sap 12 SP3	1.22-3.14.1 fixed
suse enterprise sap 12 SP4	1.22-3.14.1 fixed
suse enterprise sap 12 SP5	1.22-3.14.1 fixed
suse enterprise server 12	1.22-3.14.1 fixed
suse enterprise server 12 SP3	1.22-7.7.1 fixed
suse enterprise server 12 SP4	1.22-3.14.1 fixed
suse enterprise server 12 SP5	1.22-3.14.1 fixed

python2-urllib3

suse enterprise desktop 15	1.22-6.4.1 fixed
suse enterprise sap 15	1.22-6.4.1 fixed
suse enterprise server 15	1.22-6.4.1 fixed

python3-CherryPy

suse enterprise desktop 15 SP2	18.3.0-1.31 fixed
suse enterprise desktop 15 SP3	18.3.0-1.31 fixed
suse enterprise desktop 15 SP4	18.3.0-1.31 fixed
suse enterprise desktop 15 SP5	18.3.0-1.31 fixed
suse enterprise desktop 15 SP6	18.3.0-1.31 fixed
suse enterprise desktop 15 SP7	18.3.0-1.31 fixed
suse enterprise sap 15 SP2	18.3.0-1.31 fixed
suse enterprise sap 15 SP3	18.3.0-1.31 fixed
suse enterprise sap 15 SP4	18.3.0-1.31 fixed
suse enterprise sap 15 SP5	18.3.0-1.31 fixed
suse enterprise sap 15 SP6	18.3.0-1.31 fixed
suse enterprise sap 15 SP7	18.3.0-1.31 fixed
suse enterprise server 15 SP2	18.3.0-1.31 fixed
suse enterprise server 15 SP3	18.3.0-1.31 fixed
suse enterprise server 15 SP4	18.3.0-1.31 fixed
suse enterprise server 15 SP5	18.3.0-1.31 fixed
suse enterprise server 15 SP6	18.3.0-1.31 fixed
suse enterprise server 15 SP7	18.3.0-1.31 fixed

python3-urllib3

suse enterprise desktop 15	1.22-6.4.1 fixed
suse enterprise desktop 15 SP2	1.24-9.4.1 fixed
suse enterprise desktop 15 SP3	1.25.10-2.18 fixed
suse enterprise desktop 15 SP4	1.25.10-4.3.1 fixed
suse enterprise desktop 15 SP5	1.25.10-4.3.1 fixed
suse enterprise desktop 15 SP6	1.25.10-150300.4.9.1 fixed
suse enterprise desktop 15 SP7	1.25.10-150300.4.12.1 fixed
suse enterprise sap 12	1.22-3.14.1 fixed
suse enterprise sap 12 SP3	1.22-3.14.1 fixed
suse enterprise sap 12 SP4	1.22-3.14.1 fixed
suse enterprise sap 12 SP5	1.22-3.14.1 fixed
suse enterprise sap 15	1.22-6.4.1 fixed
suse enterprise sap 15 SP2	1.24-9.4.1 fixed
suse enterprise sap 15 SP3	1.25.10-2.18 fixed
suse enterprise sap 15 SP4	1.25.10-4.3.1 fixed
suse enterprise sap 15 SP5	1.25.10-4.3.1 fixed
suse enterprise sap 15 SP6	1.25.10-150300.4.9.1 fixed
suse enterprise sap 15 SP7	1.25.10-150300.4.12.1 fixed
suse enterprise server 12	1.22-3.14.1 fixed
suse enterprise server 12 SP3	1.22-3.14.1 fixed
suse enterprise server 12 SP4	1.22-3.14.1 fixed
suse enterprise server 12 SP5	1.22-3.14.1 fixed
suse enterprise server 15	1.22-6.4.1 fixed
suse enterprise server 15 SP2	1.24-9.4.1 fixed
suse enterprise server 15 SP3	1.25.10-2.18 fixed
suse enterprise server 15 SP4	1.25.10-4.3.1 fixed
suse enterprise server 15 SP5	1.25.10-4.3.1 fixed
suse enterprise server 15 SP6	1.25.10-150300.4.9.1 fixed
suse enterprise server 15 SP7	1.25.10-150300.4.12.1 fixed

python311-CherryPy

suse enterprise desktop 15 SP6	18.9.0-150400.7.3.1 fixed
suse enterprise sap 15 SP6	18.9.0-150400.7.3.1 fixed
suse enterprise server 15 SP6	18.9.0-150400.7.3.1 fixed

python311-urllib3

suse enterprise desktop 15 SP6	2.0.7-150400.7.11.1 fixed
suse enterprise sap 15 SP6	2.0.7-150400.7.11.1 fixed
suse enterprise server 15 SP6	2.0.7-150400.7.11.1 fixed

python311-urllib3_1

suse enterprise desktop 15 SP6	1.26.18-150600.1.4 fixed
suse enterprise sap 15 SP6	1.26.18-150600.1.4 fixed
suse enterprise server 15 SP6	1.26.18-150600.1.4 fixed

python36

suse enterprise server 12 SP3

3.6.15-6.61.6

fixed

python36-PyYAML

suse enterprise server 12 SP3

5.3.1-6.5.12

fixed

python36-appdirs

suse enterprise server 12 SP3

1.4.3-6.3.8

fixed

python36-asn1crypto

suse enterprise server 12 SP3

0.24.0-6.3.16

fixed

python36-base

suse enterprise server 12 SP3

3.6.15-6.61.5

fixed

python36-boto3

suse enterprise server 12 SP3

1.17.9-6.3.11

fixed

python36-botocore

suse enterprise server 12 SP3

1.20.9-6.3.11

fixed

python36-certifi

suse enterprise server 12 SP3

2018.1.18-6.3.15

fixed

python36-cffi

suse enterprise server 12 SP3

1.11.5-6.3.18

fixed

python36-chardet

suse enterprise server 12 SP3

3.0.4-6.3.15

fixed

python36-colorama

suse enterprise server 12 SP3

0.4.4-6.3.15

fixed

python36-cryptography

suse enterprise server 12 SP3

2.8-6.3.17

fixed

python36-curses

suse enterprise server 12 SP3

3.6.15-6.61.6

fixed

python36-dbm

suse enterprise server 12 SP3

3.6.15-6.61.6

fixed

python36-devel

suse enterprise server 12 SP3

3.6.15-6.61.5

fixed

python36-docutils

suse enterprise server 12 SP3

0.14-6.3.8

fixed

python36-idle

suse enterprise server 12 SP3

3.6.15-6.61.6

fixed

python36-idna

suse enterprise server 12 SP3

2.6-6.5.15

fixed

python36-jmespath

suse enterprise server 12 SP3

0.9.3-6.3.14

fixed

python36-packaging

suse enterprise server 12 SP3

17.1-6.6.8

fixed

python36-ply

suse enterprise server 12 SP3

3.10-6.3.8

fixed

python36-ply-doc

suse enterprise server 12 SP3

3.10-6.3.8

fixed

python36-py

suse enterprise server 12 SP3

1.8.1-6.3.15

fixed

python36-pyOpenSSL

suse enterprise server 12 SP3

17.1.0-6.3.16

fixed

python36-pyasn1

suse enterprise server 12 SP3

0.1.9-6.3.18

fixed

python36-pycparser

suse enterprise server 12 SP3

2.10-6.3.9

fixed

python36-pyparsing

suse enterprise server 12 SP3

2.4.7-6.3.9

fixed

python36-pyparsing-doc

suse enterprise server 12 SP3

2.4.7-6.3.9

fixed

python36-python-dateutil

suse enterprise server 12 SP3

2.7.3-6.3.13

fixed

python36-requests

suse enterprise server 12 SP3

2.24.0-6.3.15

fixed

python36-rsa

suse enterprise server 12 SP3

3.4.2-6.3.15

fixed

python36-s3transfer

suse enterprise server 12 SP3

0.3.3-6.3.11

fixed

python36-setuptools

suse enterprise server 12 SP3

44.1.1-9.11.1

fixed

python36-setuptools-test

suse enterprise server 12 SP3

44.1.1-6.7.4

fixed

python36-setuptools-wheel

suse enterprise server 12 SP3

44.1.1-6.7.3

fixed

python36-simplejson

suse enterprise server 12 SP3

3.8.2-6.3.16

fixed

python36-six

suse enterprise server 12 SP3

1.14.0-6.7.3

fixed

python36-six-doc

suse enterprise server 12 SP3

1.14.0-6.7.6

fixed

python36-testsuite

suse enterprise server 12 SP3

3.6.15-6.61.5

fixed

python36-tk

suse enterprise server 12 SP3

3.6.15-6.61.6

fixed

python36-tools

suse enterprise server 12 SP3

3.6.15-6.61.5

fixed

python36-urllib3

suse enterprise server 12 SP3

1.25.10-6.3.13

fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

platform-python

RHEL 8

0:3.6.8-15.1.el8

fixed

platform-python-debug

RHEL 8

0:3.6.8-15.1.el8

fixed

platform-python-devel

RHEL 8

0:3.6.8-15.1.el8

fixed

python

RHEL 7

0:2.7.5-86.el7

fixed

python-debug

RHEL 7

0:2.7.5-86.el7

fixed

python-devel

RHEL 7

0:2.7.5-86.el7

fixed

python-libs

RHEL 7

0:2.7.5-86.el7

fixed

python-test

RHEL 7

0:2.7.5-86.el7

fixed

python-tools

RHEL 7

0:2.7.5-86.el7

fixed

python3-idle

RHEL 8

0:3.6.8-15.1.el8

fixed

python3-libs

RHEL 8

0:3.6.8-15.1.el8

fixed

python3-test

RHEL 8

0:3.6.8-15.1.el8

fixed

python3-tkinter

RHEL 8

0:3.6.8-15.1.el8

fixed

tkinter

RHEL 7

0:2.7.5-86.el7

fixed

Known Exploits!

Common Weakness Enumeration

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html

http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html

http://www.openwall.com/lists/oss-security/2021/02/04/2

http://www.securityfocus.com/bid/107466

https://access.redhat.com/errata/RHSA-2019:1260

https://access.redhat.com/errata/RHSA-2019:2030

https://access.redhat.com/errata/RHSA-2019:3335

https://access.redhat.com/errata/RHSA-2019:3520

https://access.redhat.com/errata/RHSA-2019:3725

https://bugs.python.org/issue36276

https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/

https://seclists.org/bugtraq/2019/Oct/29

https://security.gentoo.org/glsa/202003-26

https://security.netapp.com/advisory/ntap-20190619-0005/

https://usn.ubuntu.com/4127-1/

https://usn.ubuntu.com/4127-2/

https://www.oracle.com/security-alerts/cpujul2022.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html

http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html

http://www.openwall.com/lists/oss-security/2021/02/04/2

http://www.securityfocus.com/bid/107466

https://access.redhat.com/errata/RHSA-2019:1260

https://access.redhat.com/errata/RHSA-2019:2030

https://access.redhat.com/errata/RHSA-2019:3335

https://access.redhat.com/errata/RHSA-2019:3520

https://access.redhat.com/errata/RHSA-2019:3725

https://bugs.python.org/issue36276

https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/

https://seclists.org/bugtraq/2019/Oct/29

https://security.gentoo.org/glsa/202003-26

https://security.netapp.com/advisory/ntap-20190619-0005/

https://usn.ubuntu.com/4127-1/

https://usn.ubuntu.com/4127-2/

https://www.oracle.com/security-alerts/cpujul2022.html