GitLab

Bugzilla ID	232
Alias(es)	CVE-2019-18348, CVE-2019-20907, CVE-2019-20916, CVE-2019-9674, CVE-2020-14422, CVE-2020-26116, CVE-2020-27619, CVE-2020-8315, CVE-2020-8492
Reporter	Max Rees (sroracle)
Assignee	Max Rees (sroracle)
Reported	2020-02-24 22:56:38 -0600
Modified	2020-12-03 23:22:57 -0600
Status	CONFIRMED
Version	1.0-RC1
Hardware	Adélie Linux / All
Importance	--- / normal
Package(s)	system/python3

Description

CVE-2019-18348: https://nvd.nist.gov/vuln/detail/CVE-2019-18348

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and
urllib in Python 3.x through 3.8.0. CRLF injection is possible if the
attacker controls a url parameter, as demonstrated by the first
argument to urllib.request.urlopen with \r\n (specifically in the host
component of a URL) followed by an HTTP header. This is similar to the
CVE-2019-9740 query string issue and the CVE-2019-9947 path string
issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

CVE-2020-8315: https://nvd.nist.gov/vuln/detail/CVE-2020-8315

In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8
through 3.8.1, an insecure dependency load upon launch on Windows 7
may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll
being loaded and used instead of the system's copy. Windows 8 and
later are unaffected.

CVE-2020-8492: https://nvd.nist.gov/vuln/detail/CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
Regular Expression Denial of Service (ReDoS) attacks against a client
because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking.