CVE-2020-26137
Publication date 30 September 2020
Last updated 24 July 2024
Ubuntu priority
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-pip | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 20.0.2-5ubuntu1.1
|
|
| 18.04 LTS bionic |
Fixed 9.0.1-2.3~ubuntu1.18.04.3
|
|
| 16.04 LTS xenial |
Fixed 8.1.1-2ubuntu0.6
|
|
| 14.04 LTS trusty |
Vulnerable
|
|
| python-urllib3 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 1.25.8-2ubuntu0.1
|
|
| 18.04 LTS bionic |
Fixed 1.22-1ubuntu0.18.04.2
|
|
| 16.04 LTS xenial |
Fixed 1.13.1-2ubuntu0.16.04.4
|
|
| 14.04 LTS trusty |
Vulnerable
|
Notes
mdeslaur
the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4570-1
- urllib3 vulnerability
- 5 October 2020