CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()¶

http.client allows to pass control characters like CRLF newlines which can be abused to inject HTTP headers.

Disclosure date: 2019-10-24 (Python issue bpo-38576 reported)

Fixed In¶

Python 2.7.18 (2020-04-19) fixed by commit e176e0c (branch 2.7) (2020-03-19)
Python 3.6.11 (2020-06-27) fixed by commit 83fc701 (branch 3.6) (2020-03-14)
Python 3.7.8 (2020-06-27) fixed by commit 34f85af (branch 3.7) (2020-03-14)
Python 3.8.3 (2020-05-14) fixed by commit ff69c9d (branch 3.8) (2020-03-14)

Vulnerable Versions¶

Python 3.5 (need release)

Python issue¶

CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen().

Python issue: bpo-38576
Creation date: 2019-10-24
Reporter: Riccardo Schirone

CVE-2019-18348¶

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

CVE ID: CVE-2019-18348
Published: 2019-10-23
CVSS Score: 4.3

Timeline¶

Timeline using the disclosure date 2019-10-24 as reference:

2019-10-23 (-1 days): CVE-2019-18348 published
2019-10-24: Python issue bpo-38576 reported by Riccardo Schirone
2020-03-14 (+142 days): commit 34f85af (branch 3.7)
2020-03-14 (+142 days): commit 83fc701 (branch 3.6)
2020-03-14 (+142 days): commit 9165add (branch 3.9)
2020-03-14 (+142 days): commit ff69c9d (branch 3.8)
2020-03-19 (+147 days): commit e176e0c (branch 2.7)
2020-04-19 (+178 days): Python 2.7.18 released
2020-05-14 (+203 days): Python 3.8.3 released
2020-06-20 (+240 days): commit 09d8172 (branch 3.5)
2020-06-27 (+247 days): Python 3.6.11 released
2020-06-27 (+247 days): Python 3.7.8 released