Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Remediation

References

CVE-2020-26116

Related Vulnerabilities

WordPress Plugin Chained Quiz SQL Injection (1.0.8)

WordPress Improper Input Validation Vulnerability (CVE-2011-4957)

WordPress Plugin WP Simple Booking Calendar Cross-Site Request Forgery (1.3)

Oracle Database Server CVE-2018-2939 Vulnerability (CVE-2018-2939)

phpMyAdmin Improper Input Validation Vulnerability (CVE-2017-1000014)

Severity

High

Classification

CVE-2020-26116 CWE-116 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities