Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-26137

Published: 30 September 2020

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Notes

AuthorNote
mdeslaur
the python-pip package bundles python-urllib3 binaries
when built. After updating python-urllib3, a no-change
rebuild of python-pip is required.

Priority

Medium

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
python-pip
Launchpad, Ubuntu, Debian
xenial
Released (8.1.1-2ubuntu0.6)
hirsute Not vulnerable
(20.1.1-2)
focal
Released (20.0.2-5ubuntu1.1)
groovy Not vulnerable
(20.1.1-2)
upstream
Released (20.2)
kinetic Not vulnerable
(20.1.1-2)
bionic
Released (9.0.1-2.3~ubuntu1.18.04.3)
impish Not vulnerable
(20.1.1-2)
jammy Not vulnerable
(20.1.1-2)
lunar Not vulnerable
(20.1.1-2)
trusty Needed

mantic Not vulnerable
(20.1.1-2)
Patches:
upstream: https://github.com/pypa/pip/commit/072b70b9bf7819e87995728b480eaa71622b16a8

python-urllib3
Launchpad, Ubuntu, Debian
hirsute Not vulnerable
(1.25.9-1)
upstream
Released (1.25.9)
kinetic Not vulnerable
(1.25.9-1)
bionic
Released (1.22-1ubuntu0.18.04.2)
focal
Released (1.25.8-2ubuntu0.1)
groovy Not vulnerable
(1.25.9-1)
impish Not vulnerable
(1.25.9-1)
jammy Not vulnerable
(1.25.9-1)
lunar Not vulnerable
(1.25.9-1)
trusty Needed

xenial
Released (1.13.1-2ubuntu0.16.04.4)
mantic Not vulnerable
(1.25.9-1)
Patches:

upstream: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N