Updated: 2025-08-20 00:05:55.370428
Description:
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 6.4 |
| CVSS Version 3.x | HIGH | 7.2 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| EL 9 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369183 | 2025-10-13 16:30:20 | |
| Ubuntu 16.04 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760370210 | 2025-10-13 17:07:44 | |
| Ubuntu 16.04 | python | 3.6 | 7.2 | HIGH | Not Vulnerable | 2025-07-26 04:13:47 | ||
| Ubuntu 18.04 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760370140 | 2025-10-13 17:07:42 | |
| Ubuntu 18.04 | python | 3.6 | 7.2 | HIGH | Not Vulnerable | 2025-07-26 04:13:46 | ||
| Ubuntu 20.04 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369449 | 2025-10-13 16:30:23 | |
| Ubuntu 20.04 | python | 3.6 | 7.2 | HIGH | Not Vulnerable | 2025-07-26 04:13:45 | ||
| Ubuntu 22.04 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369318 | 2025-10-13 16:30:22 | |
| Ubuntu 22.04 | python | 3.6 | 7.2 | HIGH | Not Vulnerable | 2025-07-26 04:13:47 | ||
| Ubuntu 24.04 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369107 | 2025-10-13 16:30:19 |