HTTP Header Injection (follow-up of CVE-2016-5699)¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
HTTP Header Injection, follow-up of CVE-2016-5699.
The fix disallows control chars in HTTP URLs.
This change broke applications sending invalid HTTP requests on purpose:
bpo-36274 added private methods
to the http.client.HTTPConnection class (_encode_request() and
_validate_path()) which can be overriden in a subclass for that.
Note: Python 2 urllib.urlopen(url) always quotes the URL and so is not
vulnerable to HTTP Header Injection.
Dates:
Disclosure date: 2017-05-24 (Python issue bpo-30458 reported)
Fixed In¶
Python 2.7.17 (2019-10-19) fixed by commit bb8071a (branch 2.7) (2019-05-21)
Python 3.5.8 (2019-10-29) fixed by commit afe3a49 (branch 3.5) (2019-07-14)
Python 3.6.9 (2019-07-02) fixed by commit c50d437 (branch 3.6) (2019-05-08)
Python 3.7.4 (2019-07-08) fixed by commit 7e200e0 (branch 3.7) (2019-05-07)
Python 3.8.0 (2019-10-14) fixed by commit c4e671e (branch 3.8) (2019-05-01)
Python issue¶
[security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699).
Python issue: bpo-30458
Creation date: 2017-05-24
Reporter: Orange
CVE-2019-9740¶
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVE ID: CVE-2019-9740
Published: 2019-03-13
CVSS Score: 4.3
CVE-2019-9947¶
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVE ID: CVE-2019-9947
Published: 2019-03-23
CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2017-05-24 as reference:
2017-05-24: Python issue bpo-30458 reported by Orange
2019-03-13 (+658 days): CVE-2019-9740 published
2019-03-23 (+668 days): CVE-2019-9947 published
2019-05-01 (+707 days): commit c4e671e (branch 3.8)
2019-05-07 (+713 days): commit 7e200e0 (branch 3.7)
2019-05-08 (+714 days): commit c50d437 (branch 3.6)
2019-05-21 (+727 days): commit bb8071a (branch 2.7)
2019-07-02 (+769 days): Python 3.6.9 released
2019-07-08 (+775 days): Python 3.7.4 released
2019-07-14 (+781 days): commit afe3a49 (branch 3.5)
2019-10-14: Python 3.8.0 released
2019-10-19 (+878 days): Python 2.7.17 released
2019-10-29 (+888 days): Python 3.5.8 released
