Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
mageiaGentoo FoundationMGASA-2021-0054
HistoryJan 25, 2021 - 6:25 p.m.

Updated python-pip packages fix security vulnerabilities

2021-01-2518:25:52
Gentoo Foundation
advisories.mageia.org
41

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.004 Low

EPSS

Percentile

74.7%

JSON

It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack (CVE-2019-20916). urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). The python-pip package bundles a copy of python-urllib3, which was affected by this issue. The bundled copy was patched to fix the issue (CVE-2020-26137).

OSVersionArchitecturePackageVersionFilename
Mageia7noarchpython-pip< 19.0.3-1.3python-pip-19.0.3-1.3.mga7

Related

openvas 44
nessus 73
osv 13
debiancve 2
cvelist 2
suse 17
cbl_mariner 2
oraclelinux 5
almalinux 3
redhat 6
redhatcve 2
debian 1
prion 2
github 2
cve 2
ubuntucve 2
nvd 2
centos 2
amazon 2
ibm 5
mageia 1
ubuntu 2
veracode 2
rocky 2
redos 1
f5 1
alpinelinux 1
openvas
openvas
Mageia: Security Advisory (MGASA-2021-0054)
2022-01-28 00:00:00
openSUSE: Security Advisory for python-pip (openSUSE-SU-2020:1613-1)
2020-10-05 00:00:00
Debian: Security Advisory (DLA-2370-1)
2020-09-12 00:00:00
nessus
nessus
openSUSE Security Update : python-pip (openSUSE-2020-2169)
2020-12-07 00:00:00
openSUSE Security Update : python (openSUSE-2020-2211)
2020-12-10 00:00:00
SUSE SLES12 Security Update : python3 (SUSE-SU-2021:0344-1)
2021-02-09 00:00:00
osv
osv
PYSEC-2020-173
2020-09-04 20:15:00
python-pip - security update
2020-09-11 00:00:00
python-pip vulnerability
2020-10-22 22:18:11
debiancve
debiancve
CVE-2019-20916
2020-09-04 20:15:11
CVE-2020-26137
2020-09-30 18:15:26
cvelist
cvelist
CVE-2019-20916
2020-09-04 19:20:55
CVE-2020-26137
2020-09-29 00:00:00
suse
suse
Security update for python-pip (moderate)
2022-04-28 00:00:00
Security update for python (important)
2020-12-09 00:00:00
Security update for python-pip (important)
2020-12-07 00:00:00
cbl_mariner
cbl_mariner
CVE-2019-20916 affecting package python-pip 18.0-5
2021-01-11 21:49:40
CVE-2020-26137 affecting package python-urllib3 1.24.2-2
2021-08-11 06:39:25
oraclelinux
oraclelinux
python-pip security update
2020-11-10 00:00:00
python-virtualenv security update
2022-06-29 00:00:00
python-pip security update
2022-03-10 00:00:00
almalinux
almalinux
Moderate: python-pip security update
2020-11-03 12:04:06
Moderate: python-urllib3 security update
2021-05-18 05:42:27
Moderate: python27:2.7 security update
2020-11-03 12:24:08
redhat
redhat
(RHSA-2020:4432) Moderate: python-pip security update
2020-11-03 12:04:06
(RHSA-2022:5234) Moderate: python-virtualenv security update
2022-06-28 07:52:36
(RHSA-2021:1631) Moderate: python-urllib3 security update
2021-05-18 05:42:27
redhatcve
redhatcve
CVE-2019-20916
2020-09-07 14:21:56
CVE-2020-26137
2020-09-29 19:03:30
debian
debian
[SECURITY] [DLA 2370-1] python-pip security update
2020-09-11 10:16:16
prion
prion
Directory traversal
2020-09-04 20:15:00
Crlf injection
2020-09-30 18:15:00
github
github
Path Traversal in pip
2021-06-09 17:35:04
CRLF injection in urllib3
2021-06-18 18:46:43
cve
cve
CVE-2019-20916
2020-09-04 20:15:11
CVE-2020-26137
2020-09-30 18:15:26
ubuntucve
ubuntucve
CVE-2019-20916
2020-09-04 00:00:00
CVE-2020-26137
2020-09-30 00:00:00
nvd
nvd
CVE-2019-20916
2020-09-04 20:15:11
CVE-2020-26137
2020-09-30 18:15:26
centos
centos
python security update
2022-08-02 19:21:51
python, tkinter security update
2022-08-02 19:15:12
amazon
amazon
Medium: python-urllib3
2021-06-16 20:37:00
Medium: python-pip
2021-05-20 16:07:00
ibm
ibm
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to CRLF injection in Python urllib3 [CVE-2020-26137]
2024-02-29 20:30:41
Security Bulletin: Vulnerability in Urllib3 affects IBM Spectrum Protect Container and Microsoft File Systems Agents (CVE-2020-26137)
2020-12-04 06:34:59
Security Bulletin: A vulnerability in urlib3 affects IBM Robotic Process Automation for Cloud Pak which may result in CRLF injection (CVE-2020-26137).
2023-08-21 17:54:57
mageia
mageia
Updated python-urllib3 packages fix security vulnerability
2021-01-25 18:25:52
ubuntu
ubuntu
urllib3 vulnerability
2020-10-05 00:00:00
pip vulnerability
2020-10-22 00:00:00
veracode
veracode
Carriage-Return Line-Feed (CRLF) Injection
2020-10-01 01:43:17
Directory Traversal
2019-06-13 01:55:10
rocky
rocky
python-urllib3 security update
2021-05-18 05:42:27
python27:2.7 security update
2020-11-03 12:24:08
redos
redos
ROS-20230619-05
2023-06-19 00:00:00
f5
f5
K000133547 : Python urllib3 vulnerability CVE-2020-26137
2023-04-18 00:00:00
alpinelinux
alpinelinux
CVE-2020-26137
2020-09-30 18:15:26

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.004 Low

EPSS

Percentile

74.7%

JSON
Related for MGASA-2021-0054
openvas44nessus73osv13debiancve2cvelist2suse17cbl_mariner2oraclelinux5almalinux3redhat6redhatcve2debian1prion2github2cve2ubuntucve2nvd2centos2amazon2ibm5mageia1ubuntu2veracode2rocky2redos1f51alpinelinux1