Bug 2047376 (CVE-2022-0391) - CVE-2022-0391 python: urllib.parse does not sanitize URLs containing ASCII newline and tabs
Summary: CVE-2022-0391 python: urllib.parse does not sanitize URLs containing ASCII ne...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0391
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2047377 (view as bug list)
Depends On: 2050109 2047577 2047578 2047579 2047580 2047581 2047582 2047583 2047584 2047585 2047587 2048471 2048472 2048473 2048474 2048475 2048476 2048477 2048479 2048480 2050110 2050625 2050626 2064447 2064448 2083677 2126651 2130869
Blocks: 2034739 2047379
TreeView+ depends on / blocked
 
Reported: 2022-01-27 18:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-11-09 10:22 UTC (History)
27 users (show)

Fixed In Version: python 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.
Clone Of:
Environment:
Last Closed: 2022-05-11 03:46:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1663 0 None None None 2022-05-02 08:05:20 UTC
Red Hat Product Errata RHSA-2022:1764 0 None None None 2022-05-10 13:18:34 UTC
Red Hat Product Errata RHSA-2022:1821 0 None None None 2022-05-10 13:39:35 UTC
Red Hat Product Errata RHSA-2022:6457 0 None None None 2022-09-13 09:45:19 UTC

Description Guilherme de Almeida Suckevicz 2022-01-27 18:02:53 UTC 
Python urllib.parse does not sanitize URLs containing ASCII newline and tabs.

Reference:
https://bugs.python.org/issue43882
Comment 1 Guilherme de Almeida Suckevicz 2022-01-27 18:04:23 UTC 
*** Bug 2047377 has been marked as a duplicate of this bug. ***
Comment 2 Sandipan Roy 2022-01-28 06:16:26 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2047578]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2047579]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2047585]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2047587]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 2047580]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2047581]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2047582]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2047583]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2047584]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2047577]
Comment 3 Miro Hrončok 2022-01-28 08:07:06 UTC 
Sandipan, I've actually collected the versions where this was fixed and ye we have received 6 pointless outdated reports for Fedora python3.6 to python3.11 nevertheless. What is exactly the purpose? If you need that for some kind fo tracking, could you report the bugzillas but close them immediatelly?
Comment 4 Sandipan Roy 2022-01-28 08:46:05 UTC 
Hello Miro, I will close those kinds of tracking bugs from now on.
Thanks.
Comment 17 errata-xmlrpc 2022-05-02 08:05:17 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:1663 https://access.redhat.com/errata/RHSA-2022:1663
Comment 21 errata-xmlrpc 2022-05-10 13:18:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764
Comment 22 errata-xmlrpc 2022-05-10 13:39:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821
Comment 23 Product Security DevOps Team 2022-05-11 03:46:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0391
Comment 25 errata-xmlrpc 2022-09-13 09:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6457 https://access.redhat.com/errata/RHSA-2022:6457
Note You need to log in before you can comment on or make changes to this bug.