PT-2020-6266 · Python+10 · Python+10

Published

2020-02-10

Updated

2025-08-11

CVE-2020-26116

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Python versions 3.x before 3.5.10 Python versions 3.6.x before 3.6.12 Python versions 3.7.x before 3.7.9 Python versions 3.8.x before 3.8.5

Description The issue is related to a lack of output encoding or escaping mechanism in Python's HTTP request method. This can be exploited by a remote attacker to gain access to confidential data and compromise its integrity. The vulnerability can be exploited if the attacker controls the HTTP request method, for example, by inserting CR and LF control characters in the first argument of HTTPConnection.request().

Recommendations For Python versions 3.x before 3.5.10, update to version 3.5.10 or later. For Python versions 3.6.x before 3.6.12, update to version 3.6.12 or later. For Python versions 3.7.x before 3.7.9, update to version 3.7.9 or later. For Python versions 3.8.x before 3.8.5, update to version 3.8.5 or later.

Exploit

Fix

Special Elements Injection

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-116

Related Identifiers

ALSA-2021:1761

ALSA-2021:1879

ALT-PU-2020-2445

ALT-PU-2020-3395

ALT-PU-2021-1234

ALT-PU-2021-2653

ALT-PU-2024-3474

BDU:2021-03738

BIT-LIBPYTHON-2020-26116

BIT-PYTHON-2020-26116

BIT-PYTHON-MIN-2020-26116

CESA-2021_1633

CESA-2021_1761

CESA-2021_1879

CESA-2022_5235

CVE-2020-26116

DLA-2456-1

DLA-3432-1

DLA-3610-1

MGASA-2020-0451

OPENSUSE-SU-2020:1859-1

OPENSUSE-SU-2020:1988-1

OPENSUSE-SU-2020:2332-1

OPENSUSE-SU-2020:2333-1

OPENSUSE-SU-2020_1859-1

OPENSUSE-SU-2020_1988-1

OPENSUSE-SU-2020_2332-1

OPENSUSE-SU-2020_2333-1

OPENSUSE-SU-2024:11284-1

OPENSUSE-SU-2024:11285-1

OPENSUSE-SU-2024:11551-1

PSF-2020-5

RHSA-2020:4273

RHSA-2020:4285

RHSA-2020:4299

RHSA-2021:1633

RHSA-2021:1761

RHSA-2021:1879

RHSA-2021:3366

RHSA-2021_1633

RHSA-2021_1761

RHSA-2021_1879

RHSA-2022:5235

RHSA-2022_5235

RLSA-2021:1761

RLSA-2021:1879

ROSA-SA-2023-2203

SUSE-SU-2020:14550-1

SUSE-SU-2020:3115-1

SUSE-SU-2020:3121-1

SUSE-SU-2020:3262-1

SUSE-SU-2020:3563-1

SUSE-SU-2020:3930-1

SUSE-SU-2020_14550-1

SUSE-SU-2020_3115-1

SUSE-SU-2020_3121-1

SUSE-SU-2020_3262-1

SUSE-SU-2021:0299-1

SUSE-SU-2021:0341-1

SUSE-SU-2021:0342-1

SUSE-SU-2021:0486-1

SUSE-SU-2021:0515-1

SUSE-SU-2021_0299-1

SUSE-SU-2021_0341-1

USN-4581-1

USN-4754-3

USN-6891-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Python

Red Hat

Rocky Linux

Suse

Ubuntu

PT-2020-6266 · Python+10 · Python+10

CVE-2020-26116

Weakness Enumeration

Related Identifiers

Affected Products

References · 209