CVE-2020-26137
Publication date 30 September 2020
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Status
Package | Ubuntu Release | Status |
---|---|---|
python-pip | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Fixed 20.0.2-5ubuntu1.1
|
|
18.04 LTS bionic |
Fixed 9.0.1-2.3~ubuntu1.18.04.3
|
|
16.04 LTS xenial |
Fixed 8.1.1-2ubuntu0.6
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed | |
python-urllib3 | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Fixed 1.25.8-2ubuntu0.1
|
|
18.04 LTS bionic |
Fixed 1.22-1ubuntu0.18.04.2
|
|
16.04 LTS xenial |
Fixed 1.13.1-2ubuntu0.16.04.4
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed |
Notes
mdeslaur
the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4570-1
- urllib3 vulnerability
- 5 October 2020