EIQ-2019-0021



ID

EIQ-2019-0021

CVE

CVE-2019-11236

Description

CRLF injection and HTTP header manipulation in urllib3

Date

22 Apr 2019

Severity

2 - MEDIUM

CVSSv3 score

6.1

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.4.0

Assessment

An attacker could inject Carriage Return Line Feed (CRLF) sequences in a targeted system by exploiting improper neutralization of CRLF sequences in urllib3.
An attacker with control of the urllib request address parameter could exploit this vulnerability by injecting CRLF sequences in the targeted system.

A successful exploit could allow manipulating HTTP headers, and enabling additional attack methods.
To exploit this vulnerability, an attacker must send malicious requests to the targeted system.

Mitigation

Upgrade urllib3 to version 1.24.3, 1.25.2, or later.

Restrict network access from untrusted sources to make it more difficult to exploit the vulnerability.

Affected versions

2.3.4 and earlier

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.4.0