CVE-2020-26116
HIGH7.2EPSS 0.90%Published: 9/27/2020Modified: 4/28/2026
Also known as:DEBIAN-CVE-2020-26116
Description
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
Affected packages (6)
- Bitnami/libpython>= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
- Bitnami/python>= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
- Bitnami/python-min>= 3.0.0, < 3.5.10, >= 3.6.0, < 3.6.12, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.5
- Debian/pypy3from 0, < 7.3.3+dfsg-1
- Debian/python2.7from 0
- Debian/python3.9from 0, < 3.9.0~b5-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
References (16)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-26116
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html
- WEBhttps://bugs.python.org/issue39603
- WEBhttps://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
- WEBhttps://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2020-26116
- WEBhttps://python-security.readthedocs.io/vuln/http-header-injection-method.html
- WEBhttps://security.gentoo.org/glsa/202101-18
- WEBhttps://security.netapp.com/advisory/ntap-20201023-0001/
- WEBhttps://usn.ubuntu.com/4581-1/
- WEBhttps://www.oracle.com/security-alerts/cpuoct2021.html