HTTP Header Injection (follow-up of CVE-2016-5699)

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

HTTP Header Injection, follow-up of CVE-2016-5699.

The fix disallows control chars in HTTP URLs.

This change broke applications sending invalid HTTP requests on purpose: bpo-36274 added private methods to the http.client.HTTPConnection class (_encode_request() and _validate_path()) which can be overriden in a subclass for that.

Note: Python 2 urllib.urlopen(url) always quotes the URL and so is not vulnerable to HTTP Header Injection.

Dates:

• Disclosure date: 2017-05-24 (Python issue bpo-30458 reported)

Fixed In

• Python 2.7.17 (2019-10-19) fixed by commit bb8071a (branch 2.7) (2019-05-21)
• Python 3.5.8 (2019-10-29) fixed by commit afe3a49 (branch 3.5) (2019-07-14)
• Python 3.6.9 (2019-07-02) fixed by commit c50d437 (branch 3.6) (2019-05-08)
• Python 3.7.4 (2019-07-08) fixed by commit 7e200e0 (branch 3.7) (2019-05-07)
• Python 3.8.0 (2019-10-14) fixed by commit c4e671e (branch 3.8) (2019-05-01)

Python issue

[security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699).

• Python issue: bpo-30458
• Creation date: 2017-05-24
• Reporter: Orange

CVE-2019-9740

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

• CVE ID: CVE-2019-9740
• Published: 2019-03-13
• CVSS Score: 4.3

CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

• CVE ID: CVE-2019-9947
• Published: 2019-03-23
• CVSS Score: 4.3

Timeline

Timeline using the disclosure date 2017-05-24 as reference:

• 2017-05-24: Python issue bpo-30458 reported by Orange
• 2019-03-13 (+658 days): CVE-2019-9740 published
• 2019-03-23 (+668 days): CVE-2019-9947 published
• 2019-05-01 (+707 days): commit c4e671e (branch 3.8)
• 2019-05-07 (+713 days): commit 7e200e0 (branch 3.7)
• 2019-05-08 (+714 days): commit c50d437 (branch 3.6)
• 2019-05-21 (+727 days): commit bb8071a (branch 2.7)
• 2019-07-02 (+769 days): Python 3.6.9 released
• 2019-07-08 (+775 days): Python 3.7.4 released
• 2019-07-14 (+781 days): commit afe3a49 (branch 3.5)
• 2019-10-14: Python 3.8.0 released
• 2019-10-19 (+878 days): Python 2.7.17 released
• 2019-10-29 (+888 days): Python 3.5.8 released

Links

• https://nvd.nist.gov/vuln/detail/CVE-2016-5699/