CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

http.client allows to pass control characters like CRLF newlines which can be abused to inject HTTP headers.

Dates:

• Disclosure date: 2019-10-24 (Python issue bpo-38576 reported)

Fixed In

• Python 2.7.18 (2020-04-19) fixed by commit e176e0c (branch 2.7) (2020-03-19)
• Python 3.5.10 (2020-09-05) fixed by commit 09d8172 (branch 3.5) (2020-06-20)
• Python 3.6.11 (2020-06-27) fixed by commit 83fc701 (branch 3.6) (2020-03-14)
• Python 3.7.8 (2020-06-27) fixed by commit 34f85af (branch 3.7) (2020-03-14)
• Python 3.8.3 (2020-05-13) fixed by commit ff69c9d (branch 3.8) (2020-03-14)
• Python 3.9.0 (2020-10-05) fixed by commit 9165add (branch 3.9) (2020-03-14)

Python issue

CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen().

• Python issue: bpo-38576
• Creation date: 2019-10-24
• Reporter: Riccardo Schirone

CVE-2019-18348

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.

• CVE ID: CVE-2019-18348
• Published: 2019-10-23
• CVSS Score: 4.3

Timeline

Timeline using the disclosure date 2019-10-24 as reference:

• 2019-10-23 (-1 days): CVE-2019-18348 published
• 2019-10-24: Python issue bpo-38576 reported by Riccardo Schirone
• 2020-03-14 (+142 days): commit 34f85af (branch 3.7)
• 2020-03-14 (+142 days): commit 83fc701 (branch 3.6)
• 2020-03-14 (+142 days): commit 9165add (branch 3.9)
• 2020-03-14 (+142 days): commit ff69c9d (branch 3.8)
• 2020-03-19 (+147 days): commit e176e0c (branch 2.7)
• 2020-04-19 (+178 days): Python 2.7.18 released
• 2020-05-13 (+202 days): Python 3.8.3 released
• 2020-06-20 (+240 days): commit 09d8172 (branch 3.5)
• 2020-06-27 (+247 days): Python 3.6.11 released
• 2020-06-27 (+247 days): Python 3.7.8 released
• 2020-09-05 (+317 days): Python 3.5.10 released
• 2020-10-05: Python 3.9.0 released