A vulnerability was found in urllib3 up to 1.24.1 on Python and classified as critical. Affected by this issue is some unknown processing. The manipulation as part of a Parameter leads to a crlf injection vulnerability. Using CWE to declare the problem leads to CWE-93. The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. Impacted is confidentiality, integrity, and availability. CVE summarizes:

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

The bug was discovered 03/18/2019. The weakness was disclosed 04/15/2019 (Website). The advisory is shared for download at lists.fedoraproject.org. This vulnerability is handled as CVE-2019-11236 since 04/15/2019. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 28 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 197469 (Ubuntu Security Notification for Python-urllib3 Vulnerabilities (USN-3990-1)).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries 127866 and 133842 are pretty similar.

Productinfo

Name

• urllib3

Version

• 1.24.0
• 1.24.1

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion