You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.83. Please mark this comment with 👍 or 👎 to give our bot feedback!
mend-bolt-for-githubbot
changed the title
CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl
CVE-2020-26137 (Medium) detected in urllib3-1.25.8-py2.py3-none-any.whl, urllib3-1.25.7-py2.py3-none-any.whl
Apr 27, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-26137 (Medium) detected in urllib3-1.25.8-py2.py3-none-any.whl, urllib3-1.25.7-py2.py3-none-any.whl
CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl
May 5, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl
CVE-2020-26137 (Medium) detected in urllib3-1.25.8-py2.py3-none-any.whl
May 9, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-26137 (Medium) detected in urllib3-1.25.8-py2.py3-none-any.whl
CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl
May 9, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl
CVE-2020-26137 (Medium) detected in urllib3-1.25.8-py2.py3-none-any.whl, urllib3-1.25.7-py2.py3-none-any.whl
Sep 14, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-26137 (Medium) detected in urllib3-1.25.8-py2.py3-none-any.whl, urllib3-1.25.7-py2.py3-none-any.whl
CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl
Oct 19, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl
CVE-2020-26137 (Medium) detected in urllib3-1.25.8-py2.py3-none-any.whl, urllib3-1.25.7-py2.py3-none-any.whl
Aug 31, 2022
CVE-2020-26137 - Medium Severity Vulnerability
Vulnerable Libraries - urllib3-1.25.8-py2.py3-none-any.whl, urllib3-1.25.7-py2.py3-none-any.whl
urllib3-1.25.8-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/e8/74/6e4f91745020f967d09332bb2b8b9b10090957334692eb88ea4afe91b77f/urllib3-1.25.8-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
urllib3-1.25.7-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/b4/40/a9837291310ee1ccc242ceb6ebfd9eb21539649f193a7c8c86ba15b98539/urllib3-1.25.7-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: f45267ce40e0fb5f8285588473e89c50febabe95
Found in base branch: master
Vulnerability Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: