{"id":"USN-3990-1","summary":"python-urllib3 vulnerabilities","details":"It was discovered that urllib3 incorrectly removed Authorization HTTP\nheaders when handled cross-origin redirects. This could result in\ncredentials being sent to unintended hosts. This issue only affected Ubuntu\n16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20060)\n\nIt was discovered that urllib3 incorrectly stripped certain characters from\nrequests. A remote attacker could use this issue to perform CRLF injection.\n(CVE-2019-11236)\n\nIt was discovered that urllib3 incorrectly handled situations where a\ndesired set of CA certificates were specified. This could result in\ncertificates being accepted by the default CA certificates contrary to\nexpectations. This issue only affected Ubuntu 18.04 LTS, Ubuntu 18.10, and\nUbuntu 19.04. (CVE-2019-11324)\n","modified":"2026-04-27T15:32:55.550926292Z","published":"2019-05-21T13:58:12Z","related":["UBUNTU-CVE-2018-20060","UBUNTU-CVE-2019-11236","UBUNTU-CVE-2019-11324"],"upstream":["CVE-2018-20060","CVE-2019-11236","CVE-2019-11324","UBUNTU-CVE-2018-20060","UBUNTU-CVE-2019-11236","UBUNTU-CVE-2019-11324"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3990-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-20060"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-11236"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-11324"}],"affected":[{"package":{"name":"python-urllib3","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/python-urllib3@1.13.1-2ubuntu0.16.04.3?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.13.1-2ubuntu0.16.04.3"}]}],"versions":["1.11-1","1.12-1","1.13.1-1","1.13.1-2","1.13.1-2ubuntu0.16.04.1","1.13.1-2ubuntu0.16.04.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.13.1-2ubuntu0.16.04.3","binary_name":"python-urllib3"},{"binary_version":"1.13.1-2ubuntu0.16.04.3","binary_name":"python3-urllib3"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:16.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2018-20060"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-11236"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3990-1.json"}},{"package":{"name":"python-urllib3","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/python-urllib3@1.22-1ubuntu0.18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.22-1ubuntu0.18.04.1"}]}],"versions":["1.21.1-1","1.22-1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.22-1ubuntu0.18.04.1","binary_name":"python-urllib3"},{"binary_version":"1.22-1ubuntu0.18.04.1","binary_name":"python3-urllib3"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:18.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2018-20060"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-11236"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-11324"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3990-1.json"}}],"schema_version":"1.7.5"}