CVE-2019-9740

Name of the Vulnerable Software and Affected Versions Python versions 2.x through 2.7.16 Python versions 3.x through 3.7.3

Description The issue is related to the urllib2 module in Python, which does not properly neutralize CRLF sequences. This allows for CRLF injection if an attacker controls a URL parameter, such as the first argument to urllib.request.urlopen with r in the query string after a ? character, followed by an HTTP header or a Redis command.

Recommendations For Python 2.x through 2.7.16, update to version 2.7.17 or later. For Python 3.x through 3.7.3, update to version 3.7.4 or later. As a temporary workaround, consider avoiding the use of the urllib.request.urlopen function with untrusted URL parameters until a patch is applied. Restrict access to the urllib module to minimize the risk of exploitation.