Python urllib CRLF Injection Vulnerability [CVE-2019-9740]

CVE Number – CVE-2019-9740

A vulnerability in the urllib component of Python could allow an unauthenticated, remote attacker to inject Carriage Return Line Feed (CRLF) sequences on a targeted system.

The vulnerability exists in the parameter-handling functionality of the affected software and is due to improper neutralization of CRLF sequences. An attacker with control of the urllib requesting address parameter could exploit this vulnerability by injecting CRLF sequences into the affected software. A successful exploit could allow the attacker to manipulate the HTTP header and enable additional attack methods.Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.The Python project has confirmed the vulnerability; however, software updates are not available.

Analysis

• To exploit this vulnerability, the attacker must send malicious requests to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Safeguards

• Administrators are advised to contact the vendor regarding future updates and releases.
  
  Administrators are advised to allow only trusted users to have network access.
  
  Administrators are advised to use an unprivileged account when browsing the Internet.
  
  Administrators are advised to monitor critical systems.
  
  Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
  
  Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

Vendor Announcements

• Python has published an issue report at the following link: Python urllib CRLF injection vulnerability

Fixed Software

• At the time this alert was first published, software updates were unavailable.