CVE-2020-26116

Updated: 2024-11-21 23:20:16.499138

Description:

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 6.4
CVSS Version 3.x HIGH 7.2

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

CentOS 6 ELS python 2.6.6 7.2 HIGH Released CLSA-2021:1633442879 2022-05-05 12:01:59
CentOS 7 ELS python3 3.6.8 7.2 HIGH Released CLSA-2023:1698945913 2023-11-02 14:10:16
CentOS 7 ELS python 2.7.5 7.2 HIGH Already Fixed 2023-10-30 14:07:29
CentOS 8.4 ELS python3 3.6.8 7.2 HIGH Already Fixed 2023-10-30 14:07:27
CentOS 8.4 ELS python2 2.7.18 7.2 HIGH Already Fixed 2023-10-31 14:07:32
CentOS 8.5 ELS python3 3.6.8 7.2 HIGH Already Fixed 2023-10-30 14:07:27
CentOS 8.5 ELS python2 2.7.18 7.2 HIGH Already Fixed 2023-10-31 14:07:32
CloudLinux 6 ELS python 2.6.6 7.2 HIGH Released 2021-12-09 07:57:07
CloudLinux 7 ELS python3 3.6.8 7.2 HIGH Released CLSA-2024:1727288754 2024-10-07 10:50:30
Oracle Linux 6 ELS python 2.6.6 7.2 HIGH Released CLSA-2021:1634925483 2021-12-09 07:57:07
Total: 12