CVE-2019-9947

Name of the Vulnerable Software and Affected Versions Python versions 2.x through 2.7.16 Python versions 3.x through 3.7.3

Description An issue in the urllib2 and urllib modules allows for CRLF injection if an attacker controls a url parameter. This can be demonstrated by the first argument to urllib.request.urlopen with r in the path component of a URL that lacks a ? character, followed by an HTTP header or a Redis command. The issue is similar to a previous query string problem.

Recommendations For Python 2.x through 2.7.16, update to version 2.7.17 or later. For Python 3.x through 3.7.3, update to version 3.7.4 or later. As a temporary workaround, consider restricting the use of the urllib.request.urlopen function with untrusted URLs until a patch is applied. Avoid using URLs with r in the path component in the affected urllib.request.urlopen function until the issue is resolved.