CVE-2019-18348

Published: 23 October 2019

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.7.18~rc1-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.18~rc1-2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.7.17-1~18.04ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.7.12-1ubuntu0~16.04.11)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.7.6-8ubuntu0.6+esm5)
Ubuntu 12.04 ESM (Precise Pangolin)
Released (2.7.3-0ubuntu3.17)
Patches:
Upstream: https://github.com/python/cpython/commit/e176e0c105786e9f476758eb5438c57223b65e7f
python3.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.4.3-1ubuntu1~14.04.7+esm6)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

python3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.5.2-2ubuntu0~16.04.10)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

python3.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.9-1~18.04ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba
python3.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/34f85af3229f86c004a954c3f261ceea1f5e9f95
python3.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla)
Released (3.8.2-1ubuntu1.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (3.8.2-1ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/ff69c9d12c1b06af58e5eae5db4630cedd94740e