CVE-2019-9947
Description
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the path component of a URL that lacks a character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Risk Information
Base Score
6.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
1.161
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.1 | Windows |
| Vulnerabilities CVE-2019-15903,CVE-2019-9947,CVE-2019-9948 are affected in Python 2.7.16 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Tivoli Application Dependency Discovery Manager 7.3.0 | Windows |
| An interactive high-level object-oriented language (USN-4127-1) python2.7_2.7.16-2ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7_2.7.16-2ubuntu0.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7_2.7.12-1ubuntu0~16.04.8_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7_2.7.12-1ubuntu0~16.04.8_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7_2.7.15-4ubuntu4~18.04.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7_2.7.15-4ubuntu4~18.04.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.5_3.5.2-2ubuntu0~16.04.8_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.5_3.5.2-2ubuntu0~16.04.8_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.6_3.6.8-1~18.04.2_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.6_3.6.8-1~18.04.2_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.7_3.7.3-2ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.7_3.7.3-2ubuntu0.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7-minimal_2.7.16-2ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7-minimal_2.7.16-2ubuntu0.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7-minimal_2.7.12-1ubuntu0~16.04.8_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7-minimal_2.7.12-1ubuntu0~16.04.8_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7-minimal_2.7.15-4ubuntu4~18.04.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python2.7-minimal_2.7.15-4ubuntu4~18.04.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.5-minimal_3.5.2-2ubuntu0~16.04.8_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.5-minimal_3.5.2-2ubuntu0~16.04.8_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.6-minimal_3.6.8-1~18.04.2_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.6-minimal_3.6.8-1~18.04.2_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.7-minimal_3.7.3-2ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-4127-1) python3.7-minimal_3.7.3-2ubuntu0.1_amd64.deb | Linux |
| (RHSA-2019:2030) python security and bug fix update python-2.7.5-86.el7.x86_64.rpm | Linux |
| (RHSA-2019:2030) python security and bug fix update python-debug-2.7.5-86.el7.x86_64.rpm | Linux |
| (RHSA-2019:2030) python security and bug fix update python-devel-2.7.5-86.el7.x86_64.rpm | Linux |
| (RHSA-2019:2030) python security and bug fix update python-libs-2.7.5-86.el7.i686.rpm | Linux |
| (RHSA-2019:2030) python security and bug fix update python-libs-2.7.5-86.el7.x86_64.rpm | Linux |
| (RHSA-2019:2030) python security and bug fix update python-test-2.7.5-86.el7.x86_64.rpm | Linux |
| (RHSA-2019:2030) python security and bug fix update python-tools-2.7.5-86.el7.x86_64.rpm | Linux |
| (RHSA-2019:2030) python security and bug fix update tkinter-2.7.5-86.el7.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) libpython3_6m1_0-3.6.10-4.3.5.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) libpython3_6m1_0-debuginfo-3.6.10-4.3.5.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) python36-3.6.10-4.3.5.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) python36-base-3.6.10-4.3.5.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) python36-base-debuginfo-3.6.10-4.3.5.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) python36-base-debugsource-3.6.10-4.3.5.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) python36-debuginfo-3.6.10-4.3.5.x86_64.rpm | Linux |
| SUSE-SU-2020:0302-1(SUSE Linux Enterprise Server 12-SP5 ) python36-debugsource-3.6.10-4.3.5.x86_64.rpm | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.10_3.10.12-1~22.04.4_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.10_3.10.12-1~22.04.4_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.10-minimal_3.10.12-1~22.04.4_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.10-minimal_3.10.12-1~22.04.4_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.11_3.11.6-3ubuntu0.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.11_3.11.6-3ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.11-minimal_3.11.6-3ubuntu0.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.11-minimal_3.11.6-3ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.12_3.12.0-1ubuntu0.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.12_3.12.0-1ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.12-minimal_3.12.0-1ubuntu0.1_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.12-minimal_3.12.0-1ubuntu0.1_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.8_3.8.10-0ubuntu1~20.04.10_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.8_3.8.10-0ubuntu1~20.04.10_i386.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.8-minimal_3.8.10-0ubuntu1~20.04.10_amd64.deb | Linux |
| An interactive high-level object-oriented language (USN-6891-1) python3.8-minimal_3.8.10-0ubuntu1~20.04.10_i386.deb | Linux |
| CVE-2019-9947 | NCM |
| Improper Neutralization of CRLF Sequences (CRLF Injection) Vulnerability (CVE-2019-9947) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234