http.client: HTTP Header Injection in the HTTP method¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
It is possible to inject HTTP headers via the HTTP method which doesn’t reject newline characters.
Dates:
Disclosure date: 2020-02-10 (Python issue bpo-39603 reported)
Fixed In¶
Python 3.5.10 (2020-09-05) fixed by commit 524b8de (branch 3.5) (2020-09-04)
Python 3.6.12 (2020-08-15) fixed by commit f02de96 (branch 3.6) (2020-07-19)
Python 3.7.9 (2020-08-15) fixed by commit ca75fec (branch 3.7) (2020-07-19)
Python 3.8.5 (2020-07-20) fixed by commit 668d321 (branch 3.8) (2020-07-18)
Python 3.9.0 (2020-10-05) fixed by commit 27b8110 (branch 3.9) (2020-07-18)
Python issue¶
[security][ CVE-2020-26116] http.client: HTTP Header Injection in the HTTP method.
Python issue: bpo-39603
Creation date: 2020-02-10
Reporter: Max
CVE-2020-26116¶
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVE ID: CVE-2020-26116
Published: 2020-09-27
CVSS Score: 6.4
Timeline¶
Timeline using the disclosure date 2020-02-10 as reference:
2020-02-10: Python issue bpo-39603 reported by Max
2020-07-18 (+159 days): commit 27b8110 (branch 3.9)
2020-07-18 (+159 days): commit 668d321 (branch 3.8)
2020-07-19 (+160 days): commit ca75fec (branch 3.7)
2020-07-19 (+160 days): commit f02de96 (branch 3.6)
2020-07-20 (+161 days): Python 3.8.5 released
2020-08-15 (+187 days): Python 3.6.12 released
2020-08-15 (+187 days): Python 3.7.9 released
2020-09-04 (+207 days): commit 524b8de (branch 3.5)
2020-09-05 (+208 days): Python 3.5.10 released
2020-09-27 (+230 days): CVE-2020-26116 published
2020-10-05: Python 3.9.0 released
