Python urllib CRLF Injection Vulnerability



A vulnerability in the urllib component of Python could allow an unauthenticated, remote attacker to inject Carriage Return Line Feed (CRLF) sequences on a targeted system.

The vulnerability exists in the parameter-handling functionality of the affected software and is due to improper neutralization of CRLF sequences. An attacker with control of the urllib requesting address parameter could exploit this vulnerability by injecting CRLF sequences into the affected software. A successful exploit could allow the attacker to manipulate the HTTP header and enable additional attack methods.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

The Python project has confirmed the vulnerability; however, software updates are not available.

Security Impact Rating: Medium

CVE: CVE-2019-9740

Source:: Cisco Multivendor Vulnerability Alerts