CVE-2020-26116

Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

How to fix CVE-2020-26116

To remediate CVE-2020-26116, upgrade the affected package to a fixed version below.

• Bitnami/libpython—upgrade to 3.5.10 or later
• —upgrade to 3.5.10 or later
• —upgrade to 3.5.10 or later
• —upgrade to 7.3.3+dfsg-1 or later
• —no fix listed
• —upgrade to 3.9.0~b5-1 or later

Is CVE-2020-26116 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• >= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
• >= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
• >= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
• from 0, < 7.3.3+dfsg-1
• from 0
• from 0, < 3.9.0~b5-1

CVSS scores

References (16)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-26116
• WEBlists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
• WEBbugs.python.org/issue39603
• WEBlists.debian.org/debian-lts-announce/2020/11/msg00032.html