Debian 9: DLA-2686-1 Critical: python-urllib3 Multiple Security Flaws
debian lts
June 15, 2021
Several vulnerabilities were discovered in python-urllib3, a HTTP client for Python
Summary
CVE-2018-20060
Urllib3 does not remove the Authorization HTTP header when
following a cross-origin redirect (i.e., a redirect that differs
in host, port, or scheme). This can allow for credentials in the
Authorization header to be exposed to unintended hosts or
transmitted in cleartext.
CVE-2019-11236
CRLF injection is possible if the attacker controls the request
parameter.
CVE-2019-11324
Urllib3 mishandles certain cases where the desired set of CA
certificates is different from the OS store of CA certificates,
which results in SSL connections succeeding in situations where a
verification failure is the correct outcome. This is related to
use of the ssl_context, ca_certs, or ca_certs_dir argument.
CVE-2020-26137
Urllib3 allows CRLF injection if the attacker controls the HTTP
request method, as demonstrated by inserting CR and LF control
characters in the first argument of putrequest().
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python-urllib3
Version: 1.19.1-1+deb9u1
CVE ID: CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!