{"id":"CVE-2019-18348","details":"An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.","aliases":["PSF-2019-7"],"modified":"2026-02-13T08:19:43.574497Z","published":"2019-10-23T17:15:12.973Z","related":["SUSE-SU-2020:0750-1","SUSE-SU-2020:0854-1","SUSE-SU-2020:1339-1","SUSE-SU-2020:1524-1","SUSE-SU-2020:3865-1","SUSE-SU-2020:3930-1","SUSE-SU-2021:0794-1","SUSE-SU-2022:4281-1","openSUSE-SU-2020:0696-1","openSUSE-SU-2020:2332-1","openSUSE-SU-2020:2333-1","openSUSE-SU-2024:11202-1","openSUSE-SU-2024:11284-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/"},{"type":"ADVISORY","url":"https://bugs.python.org/issue30458#msg347282"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1727276"},{"type":"REPORT","url":"https://bugs.python.org/issue30458#msg347282"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1727276"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"},{"type":"ARTICLE","url":"https://security.netapp.com/advisory/ntap-20191107-0004/"},{"type":"ARTICLE","url":"https://usn.ubuntu.com/4333-1/"},{"type":"ARTICLE","url":"https://usn.ubuntu.com/4333-2/"},{"type":"ARTICLE","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"1bf9cc509326bc42cd8cb1650eb9bf64550d817e"},{"fixed":"4b47a5b6ba66b02df9392feb97b8ead916f8c1fa"},{"introduced":"5c4568a05a0a62b5947c55f68f9f2ecfb90a4f12"},{"fixed":"d56cd4006a1c5e07b0bf69fad9fc8e2fbf6aa855"},{"introduced":"6046c5e0298c25515ea58abc8ab87f7413e3f743"},{"fixed":"426b022776672fdf3d71ddd98d89af341c88080f"},{"introduced":"fa919fdf2583bdfead1df00e842f24f30b2a34bf"},{"fixed":"6f8c8320e9eac9bc7a7f653b43506e75916ce8e8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18348.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}