Bug 1727276 (CVE-2019-18348) - CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
Summary: CVE-2019-18348 python: CRLF injection via the host part of the url passed to ...
Keywords:
Status: NEW
Alias: CVE-2019-18348
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1765138 1765139 1765140 1765143 1765144 1765145 1765146 1765147 1765148 1765149 1765150 1765151 1765152 1765153 1765141 1765142
Blocks: 1727267
TreeView+ depends on / blocked
 
Reported: 2019-07-05 10:22 UTC by Riccardo Schirone
Modified: 2019-10-24 12:37 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Riccardo Schirone 2019-07-05 10:22:43 UTC
An issue was discovered in urllib/urllib2 in Python. CRLF injection is possible if the attacker controls the host part of the url parameter passed to urlopen().

The fix for CVE-2019-9947 is ineffective if the glibc version used by python is still affected by CVE-2016-10739. The original fix for CVE-2019-9947 only checked the part of the URL after the port (e.g. in "http://server:7777/my/path?query" only "/my/path?query" was checked for invalid characters) so if an attacker can control the hostname part he is still able to inject HTTP headers. Due to CVE-2016-10739, getaddrinfo() resolves an invalid hostname as a valid one, so the URL can contain CLRF sequences and, at the same time, it can be resolved to a valid host.


Reference:
https://bugs.python.org/issue30458#msg347282

Comment 3 Riccardo Schirone 2019-10-24 08:13:15 UTC
I have created a new and separate issue upstream to keep track of this CVE.
https://bugs.python.org/issue38576

Comment 4 Riccardo Schirone 2019-10-24 12:29:34 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1765145]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1765146]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1765138]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1765139]
Affects: fedora-all [bug 1765140]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1765141]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1765142]
Affects: fedora-all [bug 1765143]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1765144]

Comment 6 Riccardo Schirone 2019-10-24 12:35:53 UTC
Statement:

This issue affects the versions of python and python3 as shipped with Red Hat Enterprise Linux 7, however users running Red Hat Enterprise Linux 7.7 and above are not vulnerable because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable.

Comment 7 Riccardo Schirone 2019-10-24 12:37:06 UTC
This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one.


Note You need to log in before you can comment on or make changes to this bug.