CVE-2019-9947 Python urllib HTTP Header Injection Vulnerability Analysis

Key Vulnerability Information Vulnerability Title: CVE-2019-9947 Header Injection in urllib Type: Security Vulnerability Status: Closed Resolution: Duplicate Dependencies and Parent Items: - CVE-2019-9740 - CVE-2019-9947 - CVE-2016-5699 Priority: Normal Author: push0ebp Creation Date: 2019-02-06 Last Modified Date: 2022-04-11 Vulnerability Description Description: - This vulnerability allows HTTP header injection via path and query string, bypassing checks for invalid headers. - By injecting full HTTP headers, attackers can bypass host header validation, impacting services such as Redis and SSRF. - Affects Python 3.4.7+ versions, and possibly higher versions as well. Code Example: Fix: - Modify the regular expression to use mode, allowing all characters to be parsed during host extraction. - Specific fix commit: https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262 Summary: - This vulnerability enables attackers to bypass invalid header checks and fully inject HTTP headers. - The issue exists in the use of in the module, potentially leading to more severe security risks. Related Discussions Pull Requests: - PR 11768 and PR 12524 have been closed and are linked to this issue. - A developer submitted a fix PR and requested feedback. CVE Reference: - This vulnerability was assigned CVE-2019-9947. Other Related Issues Similar Issues: - Issue 13359 proposes automatic percent-encoding of invalid URLs. - Issue 30500 may be related to this problem.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2019-9947 Python urllib HTTP Header Injection Vulnerability Analysis