{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-04T12:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.python.org/issue35906"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190404-0004/"}, {"name": "FEDORA-2019-1ffd6b6064", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"}, {"name": "RHSA-2019:1260", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"name": "FEDORA-2019-ec26883852", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-2] python3.4 regression update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"}, {"name": "RHSA-2019:2030", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"name": "USN-4127-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4127-2/"}, {"name": "USN-4127-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4127-1/"}, {"name": "openSUSE-SU-2019:2389", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html"}, {"name": "openSUSE-SU-2019:2393", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html"}, {"name": "RHSA-2019:3335", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"name": "RHSA-2019:3520", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3520"}, {"name": "RHSA-2019:3725", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"name": "openSUSE-SU-2020:0086", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"name": "GLSA-202003-26", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-26"}, {"name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"}, {"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"}, {"name": "[oss-security] 20210204 [CVE-2020-15693, CVE-2020-15694] Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9947", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.python.org/issue35906", "refsource": "MISC", "url": "https://bugs.python.org/issue35906"}, {"name": "https://security.netapp.com/advisory/ntap-20190404-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190404-0004/"}, {"name": "FEDORA-2019-1ffd6b6064", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"}, {"name": "RHSA-2019:1260", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"name": "FEDORA-2019-ec26883852", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-2] python3.4 regression update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"}, {"name": "RHSA-2019:2030", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"name": "USN-4127-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4127-2/"}, {"name": "USN-4127-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4127-1/"}, {"name": "openSUSE-SU-2019:2389", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html"}, {"name": "openSUSE-SU-2019:2393", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html"}, {"name": "RHSA-2019:3335", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"name": "RHSA-2019:3520", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3520"}, {"name": "RHSA-2019:3725", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"name": "openSUSE-SU-2020:0086", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"name": "GLSA-202003-26", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-26"}, {"name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"}, {"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"}, {"name": "[oss-security] 20210204 [CVE-2020-15693, CVE-2020-15694] Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:08.547Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.python.org/issue35906"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190404-0004/"}, {"name": "FEDORA-2019-1ffd6b6064", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"}, {"name": "RHSA-2019:1260", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"name": "FEDORA-2019-ec26883852", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-2] python3.4 regression update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"}, {"name": "RHSA-2019:2030", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"name": "USN-4127-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4127-2/"}, {"name": "USN-4127-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4127-1/"}, {"name": "openSUSE-SU-2019:2389", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html"}, {"name": "openSUSE-SU-2019:2393", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html"}, {"name": "RHSA-2019:3335", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"name": "RHSA-2019:3520", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3520"}, {"name": "RHSA-2019:3725", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"name": "openSUSE-SU-2020:0086", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"name": "GLSA-202003-26", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-26"}, {"name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"}, {"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"}, {"name": "[oss-security] 20210204 [CVE-2020-15693, CVE-2020-15694] Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9947", "datePublished": "2019-03-23T17:06:47", "dateReserved": "2019-03-23T00:00:00", "dateUpdated": "2024-08-04T22:10:08.547Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "B09B31A2-30BF-4E95-81A3-F77FD97DF5B6", "versionEndExcluding": "2.7.17", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A384586-B574-4240-8BCF-CCE69498F336", "versionEndExcluding": "3.5.8", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C052B2D-757B-4342-8BE9-510A08599779", "versionEndExcluding": "3.6.9", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8E7B12E-74D0-4E51-A0A6-6C1A8B277055", "versionEndExcluding": "3.7.4", "versionStartIncluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9."}, {"lang": "es", "value": "Se detect\u00f3 un problema en urllib2 en Python versi\u00f3n 2.x hasta la versi\u00f3n 2.7.16 y urllib en Python versi\u00f3n 3.x hasta la versi\u00f3n 3.7.3. La inyecci\u00f3n de CRLF es posible si el atacante controla un par\u00e1metro url, como lo demuestra el primer argumento de urllib.request.urlopen con \\r\\n (espec\u00edficamente en el componente path de una URL que carece de un car\u00e1cter ?) Seguido por un encabezado HTTP o Un comando Redis. Esto se igual al CVE-2019-9740 problema con la cadena de consulta. Esto est\u00e1 corregido en las versiones: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9"}], "id": "CVE-2019-9947", "lastModified": "2024-11-21T04:52:39.090", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-23T18:29:02.027", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3520"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue35906"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-26"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190404-0004/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4127-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4127-2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3520"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue35906"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-26"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190404-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4127-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4127-2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-34/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-35/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHSA-2019:2030", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-0:2.7.5-86.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:1346", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "python-0:2.7.5-63.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1346", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "python-0:2.7.5-63.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1346", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "python-0:2.7.5-63.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1268", "cpe": "cpe:/o:redhat:rhel_eus:7.5", "package": "python-0:2.7.5-74.el7_5", "product_name": "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date": "2020-04-01T00:00:00Z"}, {"advisory": "RHSA-2020:1462", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "python-0:2.7.5-83.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-04-14T00:00:00Z"}, {"advisory": "RHSA-2019:3335", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8010020190903182548.51c94b97", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3520", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-15.1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:3520", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-15.1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "python27-python-0:2.7.16-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "python27-python-jinja2-0:2.6-12.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-python36-python-0:3.6.9-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2019-11-06T00:00:00Z"}], "bugzilla": {"description": "python: CRLF injection via the path part of the url passed to urlopen()", "id": "1695572", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695572"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-113", "details": ["An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9."], "name": "CVE-2019-9947", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python35-python", "product_name": "Red Hat Software Collections"}], "public_date": "2019-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-9947\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9947"], "threat_severity": "Moderate"}