CVE-2019-9740

Updated: 2026-02-22 02:23:56.138376

Description:

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 4.3
CVSS Version 3.x MEDIUM 6.1

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
Alpine Linux 3.22 python 3.7 6.1 MEDIUM Not Vulnerable 2026-02-16 14:39:55
Alpine Linux 3.22 python 3.6 6.1 MEDIUM Not Vulnerable 2026-01-27 16:42:54
Debian 10 python 3.6 6.1 MEDIUM Already Fixed 2025-09-09 19:25:12
Debian 10 python 2.7 6.1 MEDIUM Already Fixed 2025-09-09 19:25:11
Debian 11 python 2.7 6.1 MEDIUM Already Fixed 2025-09-09 19:25:11
Debian 11 python 3.6 6.1 MEDIUM Already Fixed 2025-09-09 19:25:12
Debian 12 python 3.7 6.1 MEDIUM Not Vulnerable 2025-12-09 20:16:11 Not affected: the deployed Python is 3.7.17, which is beyond the affected range (Python 3.x through ...
Debian 12 python 3.6 6.1 MEDIUM Already Fixed 2025-09-09 19:25:12 Not affected: the deployed Python is 3.7.17, which is beyond the affected range (Python 3.x through ...
Debian 12 python 2.7 6.1 MEDIUM Already Fixed 2025-09-09 19:25:10 Not affected: the deployed Python is 3.7.17, which is beyond the affected range (Python 3.x through ...
Debian 13 python 3.6 6.1 MEDIUM Already Fixed 2025-10-03 19:04:06
Total: 30