FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- CRLF injection via the host part of the url passed to urlopen()

Affected packages
python27 < 2.7.18
python38 < 3.8.3
python37 <= 3.7.7
python36 < 3.6.10
python35 <= 3.5.9_4


VuXML ID ca595a25-91d8-11ea-b470-080027846a02
Discovery 2019-10-24
Entry 2020-05-09
Modified 2020-06-13

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.


CVE Name CVE-2019-18348