CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

http.client allows to pass control characters like CRLF newlines which can be abused to inject HTTP headers.

  • Disclosure date: 2019-10-24 (Python issue bpo-38576 reported)

Fixed In

Vulnerable Versions

  • Python 3.5 (need release)

Python issue

CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen().

  • Python issue: bpo-38576
  • Creation date: 2019-10-24
  • Reporter: Riccardo Schirone

CVE-2019-18348

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

Timeline

Timeline using the disclosure date 2019-10-24 as reference: