CVE-2020-26137
CRLF injection in urllib3
6.5
MEDIUM
CVSS 3.1
EPSS 0.24%
Description
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
How to fix CVE-2020-26137
To remediate CVE-2020-26137, upgrade the affected package to a fixed version below.
- Alpine/py3-urllib3—upgrade to 1.25.9-r0 or later
- —upgrade to 1.25.9-1 or later
- —upgrade to 1.25.9 or later
- —upgrade to 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b or later
Is CVE-2020-26137 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.25.9-r0
- from 0, < 1.25.9-1
- from 0, < 1.25.9
- from 0, < 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b | from 0, < 1.25.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |