Learn about CVE-2019-9947, a CRLF injection vulnerability in Python's urllib and urllib2 modules. Find out the impacted systems, exploitation mechanism, and mitigation steps.
A vulnerability has been identified in the urllib2 module in Python versions 2.x through 2.7.16, and in the urllib module in Python versions 3.x through 3.7.3. This vulnerability allows for CRLF injection if the attacker has control over a URL parameter. The injection can occur when the first argument of urllib.request.urlopen contains "\r\n" (specifically in the path section of a URL without a "?" character), followed by an HTTP header or a Redis command. This issue is similar to the CVE-2019-9740 query string vulnerability. The vulnerability has been fixed in various versions of Python.
Understanding CVE-2019-9947
This CVE pertains to a CRLF injection vulnerability in Python's urllib and urllib2 modules.
What is CVE-2019-9947?
CVE-2019-9947 is a security vulnerability in Python that allows for CRLF injection when an attacker controls a URL parameter.
The Impact of CVE-2019-9947
The vulnerability could be exploited by attackers to inject malicious content into HTTP headers or Redis commands, potentially leading to various security risks.
Technical Details of CVE-2019-9947
This section provides more in-depth technical information about the CVE.
Vulnerability Description
The vulnerability in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3 allows for CRLF injection if the attacker controls a URL parameter.
Affected Systems and Versions
Exploitation Mechanism
The injection can occur when the first argument of urllib.request.urlopen contains "\r\n" in the path section of a URL without a "?" character, followed by an HTTP header or a Redis command.
Mitigation and Prevention
Protecting systems from CVE-2019-9947 requires immediate actions and long-term security practices.
Immediate Steps to Take
Long-Term Security Practices
Patching and Updates
Ensure that all systems running affected Python versions are patched with the provided fixes.