CVE-2020-11078

In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
CRLF Injection
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
Affected Products (NVD)
VendorProductVersion
httplib2_projecthttplib2
𝑥
< 0.18.0
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-httplib2
bookworm
0.20.4-3
fixed
bullseye
0.18.1-3
fixed
buster
no-dsa
sid
0.22.0-1
fixed
stretch
no-dsa
trixie
0.22.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-httplib2
bionic
needed
eoan
ignored
focal
needed
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needed
xenial
needed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
fence-agents-aliyun
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-all
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-amt-ws
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-apc
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-apc-snmp
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-aws
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-azure-arm
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-bladecenter
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-brocade
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-cisco-mds
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-cisco-ucs
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-common
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-compute
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-drac5
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-eaton-snmp
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-emerson
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-eps
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-gce
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-heuristics-ping
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-hpblade
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ibmblade
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ifmib
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ilo-moonshot
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ilo-mp
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ilo-ssh
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ilo2
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-intelmodular
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ipdu
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-ipmilan
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-kdump
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-lpar
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-mpath
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-redfish
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-rhevm
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-rsa
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-rsb
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-sbd
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-scsi
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-virsh
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-vmware-rest
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-vmware-soap
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-wti
RHEL 7
0:4.2.1-41.el7_9.2
fixed
fence-agents-zvm
RHEL 7
0:4.2.1-41.el7_9.2
fixed
resource-agents
RHEL 7
0:4.1.1-61.el7_9.4
fixed
RHEL 8
0:4.1.1-68.el8
fixed
resource-agents-aliyun
RHEL 7
0:4.1.1-61.el7_9.4
fixed
RHEL 8
0:4.1.1-68.el8
fixed
resource-agents-gcp
RHEL 7
0:4.1.1-61.el7_9.4
fixed
RHEL 8
0:4.1.1-68.el8
fixed
resource-agents-sap
RHEL 7
0:4.1.1-61.el7_9.4
fixed
resource-agents-sap-hana
RHEL 7
0:4.1.1-61.el7_9.4
fixed
resource-agents-sap-hana-scaleout
RHEL 7
0:0.164.0-6.el7_9.4
fixed
sap-cluster-connector
RHEL 7
0:3.0.1-37.el7_9.4
fixed
Common Weakness Enumeration
References
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E
https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/