{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-11236", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T22:48:09.019Z", "dateReserved": "2019-04-15T00:00:00", "datePublished": "2019-04-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-08T13:06:20.268838"}, "descriptions": [{"lang": "en", "value": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/urllib3/urllib3/issues/1553"}, {"name": "USN-3990-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/3990-1/"}, {"name": "FEDORA-2019-20bc611b61", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/"}, {"name": "FEDORA-2019-fbda9f1e49", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/"}, {"name": "[debian-lts-announce] 20190620 [SECURITY] [DLA 1828-1] python-urllib3 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html"}, {"name": "USN-3990-2", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/3990-2/"}, {"name": "RHSA-2019:2272", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2272"}, {"name": "openSUSE-SU-2019:2131", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"}, {"name": "openSUSE-SU-2019:2133", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"}, {"name": "RHSA-2019:3590", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3590"}, {"name": "RHSA-2019:3335", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"name": "FEDORA-2020-6148c44137", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/"}, {"name": "FEDORA-2020-d0d9ad17d8", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/"}, {"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"}, {"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.019Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/urllib3/urllib3/issues/1553", "tags": ["x_transferred"]}, {"name": "USN-3990-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/3990-1/"}, {"name": "FEDORA-2019-20bc611b61", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/"}, {"name": "FEDORA-2019-fbda9f1e49", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/"}, {"name": "[debian-lts-announce] 20190620 [SECURITY] [DLA 1828-1] python-urllib3 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html"}, {"name": "USN-3990-2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/3990-2/"}, {"name": "RHSA-2019:2272", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2272"}, {"name": "openSUSE-SU-2019:2131", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"}, {"name": "openSUSE-SU-2019:2133", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"}, {"name": "RHSA-2019:3590", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3590"}, {"name": "RHSA-2019:3335", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"name": "FEDORA-2020-6148c44137", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/"}, {"name": "FEDORA-2020-d0d9ad17d8", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/"}, {"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"}, {"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "matchCriteriaId": "304CBF27-88DD-4DF2-8A3A-FD4C02C42895", "versionEndIncluding": "1.24.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter."}, {"lang": "es", "value": "En la librer\u00eda urllib3, hasta la versi\u00f3n 1.24.1 para Python, se puede realizar una inyecci\u00f3n CRLF si el atacante controla el par\u00e1metro request."}], "id": "CVE-2019-11236", "lastModified": "2023-11-07T03:02:48.143", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-15T15:29:00.637", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2272"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:3335"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:3590"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Exploit", "Third Party Advisory"], "url": "https://github.com/urllib3/urllib3/issues/1553"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3990-1/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3990-2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2020:1539", "cpe": "cpe:/a:redhat:ansible_tower:3.5::el7", "package": "ansible-tower-35/ansible-tower:3.5.6-1", "product_name": "Red Hat Ansible Tower 3.5 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHBA-2020:1540", "cpe": "cpe:/a:redhat:ansible_tower:3.6::el7", "package": "ansible-tower-36/ansible-tower:3.6.4-1", "product_name": "Red Hat Ansible Tower 3.6 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2019:2272", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-urllib3-0:1.10.2-7.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:0850", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-pip-0:9.0.3-7.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:0851", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-virtualenv-0:15.1.0-4.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:2068", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-pip-0:9.0.3-7.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-05-12T00:00:00Z"}, {"advisory": "RHSA-2020:2081", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-virtualenv-0:15.1.0-4.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-05-12T00:00:00Z"}, {"advisory": "RHSA-2019:3335", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8010020190903182548.51c94b97", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2020:1605", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8020020200117110429.90f98d4f", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1916", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python-pip-0:9.0.3-16.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2019:3590", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python-urllib3-0:1.24.2-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2020:1916", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python-pip-0:9.0.3-16.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHBA-2020:2804", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "python-urllib3-0:1.24.3-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-07-07T00:00:00Z"}, {"advisory": "RHBA-2020:2785", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "python-urllib3-0:1.24.3-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-07-06T00:00:00Z"}], "bugzilla": {"description": "python-urllib3: CRLF injection due to not encoding the '\\r\\n' sequence leading to possible attack on internal service", "id": "1700824", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1700824"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-113", "details": ["In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter."], "name": "CVE-2019-11236", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python-virtualenv", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "python-urllib3", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "python27-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "python27-python-virtualenv", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-mongodb36-python-urllib3", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python36-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python36-python-virtualenv", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-urllib3", "product_name": "Red Hat Storage 3"}], "public_date": "2019-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11236\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11236"], "statement": "This issue affects the version of python-urllib3 shipped with Red Hat Gluster Storage 3, as it is vulnerable to CRLF injection.\nRed Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information.\nIn Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-urllib3 package.", "threat_severity": "Moderate", "upstream_fix": "python-urllib3 1.24.3, python-urllib3 1.25"}