Bug 1845937 (CVE-2020-11078) - CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function
Summary: CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlled une...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11078
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1845940 1845941 1847281 1847855 1850114 1850115 1850539 1850990 1850992 1930506
Blocks: 1845939
TreeView+ depends on / blocked
 
Reported: 2020-06-10 13:20 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-07 14:52 UTC (History)
37 users (show)

Fixed In Version: httplib2 0.18.0
Clone Of:
Environment:
Last Closed: 2020-11-10 14:21:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4605 0 None None None 2020-11-04 02:19:13 UTC
Red Hat Product Errata RHSA-2020:5003 0 None None None 2020-11-10 12:56:16 UTC
Red Hat Product Errata RHSA-2020:5004 0 None None None 2020-11-10 12:56:49 UTC

Description Guilherme de Almeida Suckevicz 2020-06-10 13:20:46 UTC 
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.

Reference:
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq

Upstream commit:
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e
Comment 1 Guilherme de Almeida Suckevicz 2020-06-10 13:22:53 UTC 
Created python-httplib2 tracking bugs for this issue:

Affects: epel-all [bug 1845941]
Affects: fedora-all [bug 1845940]
Comment 3 Przemyslaw Roguski 2020-06-15 15:11:18 UTC 
External References:

https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
Comment 11 errata-xmlrpc 2020-11-04 02:19:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4605 https://access.redhat.com/errata/RHSA-2020:4605
Comment 14 errata-xmlrpc 2020-11-10 12:56:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5003 https://access.redhat.com/errata/RHSA-2020:5003
Comment 15 errata-xmlrpc 2020-11-10 12:56:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5004 https://access.redhat.com/errata/RHSA-2020:5004
Comment 16 Product Security DevOps Team 2020-11-10 14:21:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11078
Comment 20 Summer Long 2021-03-27 05:19:10 UTC 
Statement:

While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay.

Red Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low.

This issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.

There's currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed.

In Red Hat OpenStack Platform13, because the flaw has a lower impact and the package's indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package.
Comment 21 errata-xmlrpc 2021-05-26 11:43:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:2116 https://access.redhat.com/errata/RHSA-2021:2116
Note You need to log in before you can comment on or make changes to this bug.