PT-2019-4685 · Python+9 · Python+11
Published
2019-03-23
·
Updated
2025-11-07
·
CVE-2019-9947
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Python versions 2.x through 2.7.16
Python versions 3.x through 3.7.3
Description
An issue in the urllib2 and urllib modules allows for CRLF injection if an attacker controls a url parameter. This can be demonstrated by the first argument to
urllib.request.urlopen with r in the path component of a URL that lacks a ? character, followed by an HTTP header or a Redis command. The issue is similar to a previous query string problem.Recommendations
For Python 2.x through 2.7.16, update to version 2.7.17 or later.
For Python 3.x through 3.7.3, update to version 3.7.4 or later.
As a temporary workaround, consider restricting the use of the
urllib.request.urlopen function with untrusted URLs until a patch is applied.
Avoid using URLs with r in the path component in the affected urllib.request.urlopen function until the issue is resolved.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Linuxmint
Python
Red Hat
Redis
Rocky Linux
Suse
Ubuntu
Urllib
Urllib2