CVE-2019-18348

MEDIUM Year: 2019
CVSS v3 Score
6.1
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-74
View all →

Vulnerability Description

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.

Related Vulnerabilities

CVE-2014-10386

MEDIUM
CVSS:6.1(Medium)

The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections.

CWE-742014

CVE-2014-10391

MEDIUM
CVSS:6.1(Medium)

The wp-support-plus-responsive-ticket-system plugin before 4.1 for WordPress has JavaScript injection.

CWE-742014

CVE-2014-10394

MEDIUM
CVSS:6.1(Medium)

The rich-counter plugin before 1.2.0 for WordPress has JavaScript injection via a User-Agent header.

CWE-742014

CVE-2015-3154

MEDIUM
CVSS:6.1(Medium)

CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HT...

CWE-742015

CVE-2015-5462

MEDIUM
CVSS:6.1(Medium)

AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier allows remote attackers to inject HTML into the scoping dashboard features.

CWE-742015

CVE-2016-5701

MEDIUM
CVSS:6.1(Medium)

setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions v...

CWE-742016