Bug 1845937 (CVE-2020-11078)
| Summary: | CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agk, andreas.bierfert, bcoca, bdettelb, bkearney, cluster-maint, cmeyers, dbecker, dingyichen, fdinitto, gblomqui, gmainwar, gwync, hvyas, igor.raits, jcammara, jjoyce, jschluet, jspaleta, jtanner, kevin, lhh, lpeer, mabashia, mburns, notting, oalbrigt, pcahyna, puebele, rhos-maint, rpetrell, sclewis, sdoran, slinaber, smcdonal, tkuratom, tomckay |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httplib2 0.18.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in python-httplib2. An attacker controlling an unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-10 14:21:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1845940, 1845941, 1847281, 1847855, 1850114, 1850115, 1850539, 1850990, 1850992, 1930506 | ||
| Bug Blocks: | 1845939 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-06-10 13:20:46 UTC
Created python-httplib2 tracking bugs for this issue: Affects: epel-all [bug 1845941] Affects: fedora-all [bug 1845940] External References: https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4605 https://access.redhat.com/errata/RHSA-2020:4605 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5003 https://access.redhat.com/errata/RHSA-2020:5003 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5004 https://access.redhat.com/errata/RHSA-2020:5004 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11078 Statement: While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay. Red Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low. This issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows. There's currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed. In Red Hat OpenStack Platform13, because the flaw has a lower impact and the package's indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package. This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:2116 https://access.redhat.com/errata/RHSA-2021:2116 |