HIGH 7.2
CVE-2020-26116
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS
0.9%
percentile 75.9%
Affected tracked apps
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| python | python | Windows | ≥3.0.0 <3.5.10 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | ≥3.6.0 <3.6.12 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | ≥3.7.0 <3.7.9 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | ≥3.8.0 <3.8.5 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |