Lucene search

K
amazonAmazonALAS-2020-1420
HistoryAug 26, 2020 - 11:09 p.m.

Medium: python-httplib2

2020-08-2623:09:00
alas.aws.amazon.com
18
httplib2
version 0.18.0
attacker control
request headers
request body
cve-2020-11078

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.005

Percentile

76.1%

Issue Overview:

In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. (CVE-2020-11078)

Affected Packages:

python-httplib2

Issue Correction:
Run yum update python-httplib2 to update your system.

New Packages:

noarch:  
    python26-httplib2-0.18.1-1.13.amzn1.noarch  
    python27-httplib2-0.18.1-1.13.amzn1.noarch  
  
src:  
    python-httplib2-0.18.1-1.13.amzn1.src  

Additional References

Red Hat: CVE-2020-11078

Mitre: CVE-2020-11078

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.005

Percentile

76.1%