CVE-2019-18348

Priority
Description
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib
in Python 3.x through 3.8.0. CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the host component of a
URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query
string issue and the CVE-2019-9947 path string issue. (This is not
exploitable when glibc has CVE-2016-10739 fixed.)
Assigned-to
leosilva
Notes
leosilvaThis issue can be reproducible only in systems with
the glibc issue mentioned in CVE-2016-10739 not fixed.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.3-0ubuntu3.17)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.7.6-8ubuntu0.6+esm5)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.7.12-1ubuntu0~16.04.11)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.7.17-1~18.04ubuntu1)
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 LTS (Focal Fossa):not-affected (2.7.18~rc1-2)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2.7.18~rc1-2)
Patches:
Upstream:https://github.com/python/cpython/commit/e176e0c105786e9f476758eb5438c57223b65e7f
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (3.4.3-1ubuntu1~14.04.7+esm6)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.2-2ubuntu0~16.04.10)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (3.6.9-1~18.04ubuntu1)
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):released (3.7.5-2~19.10ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/34f85af3229f86c004a954c3f261ceea1f5e9f95
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 LTS (Focal Fossa):released (3.8.2-1ubuntu1.1)
Ubuntu 20.10 (Groovy Gorilla):released (3.8.2-1ubuntu1.1)
Patches:
Upstream:https://github.com/python/cpython/commit/ff69c9d12c1b06af58e5eae5db4630cedd94740e
More Information

Updated: 2020-05-13 19:14:29 UTC (commit 28f9b2c2acd1fa9ed861c4413d9abb6607b429b5)