Lucene search

K
amazonAmazonALAS-2020-1420
HistoryAug 26, 2020 - 11:09 p.m.

Medium: python-httplib2

2020-08-2623:09:00
alas.aws.amazon.com
9

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.6%

Issue Overview:

In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. (CVE-2020-11078)

Affected Packages:

python-httplib2

Issue Correction:
Run yum update python-httplib2 to update your system.

New Packages:

noarch:  
    python26-httplib2-0.18.1-1.13.amzn1.noarch  
    python27-httplib2-0.18.1-1.13.amzn1.noarch  
  
src:  
    python-httplib2-0.18.1-1.13.amzn1.src  

Additional References

Red Hat: CVE-2020-11078

Mitre: CVE-2020-11078

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

73.6%

Related for ALAS-2020-1420