CVE-2022-0391

Name of the Vulnerable Software and Affected Versions Python versions prior to 3.10.0b1 Python versions prior to 3.9.5 Python versions prior to 3.8.11 Python versions prior to 3.7.11 Python versions prior to 3.6.14

Description The issue involves the urllib.parse module in Python, which does not properly sanitize input, allowing characters like r and in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. The attacker can exploit this issue by providing specially crafted data containing CR-LF symbols, which can alter the application's behavior.

Recommendations For versions prior to 3.10.0b1, update to version 3.10.0b1 or later. For versions prior to 3.9.5, update to version 3.9.5 or later. For versions prior to 3.8.11, update to version 3.8.11 or later. For versions prior to 3.7.11, update to version 3.7.11 or later. For versions prior to 3.6.14, update to version 3.6.14 or later. As a temporary workaround, consider restricting the use of the urlparse method in the urllib.parse module until a patch is available. Avoid using the urlparse method with untrusted input data.