CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/02/04/2	Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1260	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2030	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3335	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3520	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3725	Third Party Advisory
https://bugs.python.org/issue35906	Exploit Issue Tracking Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
https://security.gentoo.org/glsa/202003-26	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190404-0004/	Third Party Advisory
https://usn.ubuntu.com/4127-1/	Third Party Advisory
https://usn.ubuntu.com/4127-2/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::

History

No history.

Information

Published : 2019-03-23 18:29

Updated : 2023-11-07 03:13

NVD link : CVE-2019-9947

Mitre link : CVE-2019-9947

CVE.ORG link : CVE-2019-9947

JSON object : View

Products Affected

python

python

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

{"id": "CVE-2019-9947", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-03-23T18:29:02.027", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2021/02/04/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:1260", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:2030", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:3335", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:3520", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:3725", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://bugs.python.org/issue35906", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202003-26", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20190404-0004/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/4127-1/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/4127-2/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9."}, {"lang": "es", "value": "Se detect\u00f3 un problema en urllib2 en Python versi\u00f3n 2.x hasta la versi\u00f3n 2.7.16 y urllib en Python versi\u00f3n 3.x hasta la versi\u00f3n 3.7.3. La inyecci\u00f3n de CRLF es posible si el atacante controla un par\u00e1metro url, como lo demuestra el primer argumento de urllib.request.urlopen con \\r\\n (espec\u00edficamente en el componente path de una URL que carece de un car\u00e1cter ?) Seguido por un encabezado HTTP o Un comando Redis. Esto se igual al CVE-2019-9740 problema con la cadena de consulta. Esto est\u00e1 corregido en las versiones: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9"}], "lastModified": "2023-11-07T03:13:49.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B09B31A2-30BF-4E95-81A3-F77FD97DF5B6", "versionEndExcluding": "2.7.17", "versionStartIncluding": "2.7.0"}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A384586-B574-4240-8BCF-CCE69498F336", "versionEndExcluding": "3.5.8", "versionStartIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C052B2D-757B-4342-8BE9-510A08599779", "versionEndExcluding": "3.6.9", "versionStartIncluding": "3.6.0"}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8E7B12E-74D0-4E51-A0A6-6C1A8B277055", "versionEndExcluding": "3.7.4", "versionStartIncluding": "3.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-9947

6.1^/10

4.3^/10

Attach tags to `CVE-2019-9947`