PT-2020-6483 · Urllib3+9 · Urllib3+9
Published
2020-02-10
·
Updated
2026-06-03
·
CVE-2020-26137
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
urllib3 versions prior to 1.25.9
Description
The issue is related to insufficient neutralization of special elements in the HTTP request method, which can lead to CRLF injection if the attacker controls the HTTP request method. This can be demonstrated by inserting CR and LF control characters in the first argument of
putrequest(). The exploitation of this issue may allow a remote attacker to access and compromise confidential data.Recommendations
For versions prior to 1.25.9, update to version 1.25.9 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the
putrequest() function to minimize the risk of exploitation.Fix
DoS
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Urllib3