Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-3610.NASL
HistoryOct 08, 2023 - 12:00 a.m.

Debian DLA-3610-1 : python-urllib3 - LTS security update

2023-10-0800:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
10
JSON

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3610 advisory.

  • urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)

  • In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. (CVE-2019-11236)

  • The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)

  • An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3.
    CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. (CVE-2019-9740)

  • http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

  • urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. (CVE-2020-26137)

  • urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn’t treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user.
    However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn’t disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. (CVE-2023-43804)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3610. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(182762);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/15");

  script_cve_id(
    "CVE-2018-20060",
    "CVE-2018-25091",
    "CVE-2019-9740",
    "CVE-2019-11236",
    "CVE-2019-11324",
    "CVE-2020-26116",
    "CVE-2020-26137",
    "CVE-2023-43804"
  );

  script_name(english:"Debian DLA-3610-1 : python-urllib3 - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3610 advisory.

  - urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin
    redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the
    Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)

  - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the
    request parameter. (CVE-2019-11236)

  - The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA
    certificates is different from the OS store of CA certificates, which results in SSL connections
    succeeding in situations where a verification failure is the correct outcome. This is related to use of
    the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)

  - An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3.
    CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument
    to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an
    HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10,
    v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12,
    v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1,
    v3.7.8, v3.7.8rc1, v3.7.9. (CVE-2019-9740)

  - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5
    allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR
    and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

  - urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as
    demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this
    is similar to CVE-2020-26116. (CVE-2020-26137)

  - urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header
    special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user.
    However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP
    redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been
    patched in urllib3 version 1.26.17 or 2.0.5. (CVE-2023-43804)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927172");
  # https://security-tracker.debian.org/tracker/source-package/python-urllib3
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb907009");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3610");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/python-urllib3");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-20060");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-25091");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-9740");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-11236");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-11324");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-26116");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-26137");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-43804");
  script_set_attribute(attribute:"solution", value:
"Upgrade the python-urllib3 packages.

For Debian 10 buster, these problems have been fixed in version 1.24.1-1+deb10u1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-26137");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-20060");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-urllib3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-urllib3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'python-urllib3', 'reference': '1.24.1-1+deb10u1'},
    {'release': '10.0', 'prefix': 'python3-urllib3', 'reference': '1.24.1-1+deb10u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-urllib3 / python3-urllib3');
}
VendorProductVersionCPE
debiandebian_linuxpython-urllib3p-cpe:/a:debian:debian_linux:python-urllib3
debiandebian_linuxpython3-urllib3p-cpe:/a:debian:debian_linux:python3-urllib3
debiandebian_linux10.0cpe:/o:debian:debian_linux:10.0

References

Related

openvas 27
debian 2
osv 18
nessus 82
suse 2
ibm 4
freebsd 1
ubuntu 3
mageia 2
photon 4
oraclelinux 10
redhat 11
centos 4
cve 2
redhatcve 1
debiancve 2
ubuntucve 3
veracode 1
github 2
prion 2
amazon 3
fedora 4
f5 1
alpinelinux 1
almalinux 3
cloudfoundry 1
rocky 3
openvas
openvas
Debian: Security Advisory (DLA-3610-1)
2023-10-09 00:00:00
Debian: Security Advisory (DLA-2686-1)
2021-06-16 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:2331-1)
2021-06-09 00:00:00
debian
debian
[SECURITY] [DLA 3610-1] python-urllib3 security update
2023-10-08 11:06:45
[SECURITY] [DLA 2686-1] python-urllib3 security update
2021-06-15 18:35:06
osv
osv
python-urllib3 - security update
2023-10-08 00:00:00
python-urllib3 - security update
2021-06-15 00:00:00
CVE-2018-25091
2023-10-15 19:15:09
nessus
nessus
openSUSE Security Update : python-urllib3 (openSUSE-2019-2131)
2019-09-16 00:00:00
Debian DLA-2686-1 : python-urllib3 security update
2021-06-16 00:00:00
Photon OS 2.0: Python PHSA-2021-2.0-0393
2021-09-27 00:00:00
suse
suse
Security update for python-urllib3 (moderate)
2019-09-14 00:00:00
Security update for python-urllib3 (moderate)
2019-09-15 00:00:00
ibm
ibm
Security Bulletin: IBM Spectrum Symphony with urllib3 could allow a remote attacker to obtain sensitive information
2024-02-28 15:45:03
Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities
2024-05-03 19:55:52
Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to multiple vulnerabilities (CVE-2019-11236, CVE-2020-26137, CVE-2021-33503)
2023-12-06 16:00:11
freebsd
freebsd
urllib3 -- multiple vulnerabilities
2018-12-11 00:00:00
ubuntu
ubuntu
urllib3 vulnerabilities
2019-05-21 00:00:00
pip vulnerabilities
2023-11-15 00:00:00
urllib3 vulnerabilities
2023-11-07 00:00:00
mageia
mageia
Updated python-urllib3 packages fix security vulnerability
2019-09-07 00:09:08
Updated python-pip packages fix security vulnerabilities
2020-01-28 14:32:54
photon
photon
Critical Photon OS Security Update - PHSA-2021-0442
2021-10-13 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-2.0-0393
2021-09-21 00:00:00
Important Photon OS Security Update - PHSA-2021-0246
2021-06-02 00:00:00
oraclelinux
oraclelinux
python-pip security update
2020-05-05 00:00:00
python-pip security update
2020-05-19 00:00:00
python-pip security update
2020-03-18 00:00:00
redhat
redhat
(RHSA-2020:0850) Moderate: python-pip security update
2020-03-17 13:10:26
(RHSA-2020:2068) Moderate: python-pip security update
2020-05-12 14:03:16
(RHSA-2020:1916) Moderate: python-pip security update
2020-04-28 09:30:31
centos
centos
python3 security update
2020-03-18 19:33:57
python security update
2019-08-30 04:04:34
python security update
2020-03-25 19:10:05
cve
cve
CVE-2018-25091
2023-10-15 19:15:00
CVE-2020-26137
2020-09-30 18:15:00
redhatcve
redhatcve
CVE-2018-25091
2023-10-16 04:16:46
debiancve
debiancve
CVE-2018-25091
2023-10-15 19:15:09
CVE-2020-26137
2020-09-30 18:15:00
ubuntucve
ubuntucve
CVE-2018-25091
2023-10-15 00:00:00
CVE-2020-26137
2020-09-30 00:00:00
CVE-2019-11236
2019-04-15 00:00:00
veracode
veracode
Authorization HTTP Header Leakage
2023-10-16 12:50:32
github
github
Authorization Header forwarded on redirect
2023-10-15 21:30:26
CRLF injection in urllib3
2021-06-18 18:46:43
prion
prion
Authorization
2023-10-15 19:15:00
Crlf injection
2020-09-30 18:15:00
amazon
amazon
Medium: python-pip
2020-02-05 16:26:00
Medium: python-pip
2020-02-04 22:44:00
Medium: python-virtualenv
2020-04-20 20:48:00
fedora
fedora
[SECURITY] Fedora 30 Update: python-pip-19.0.3-6.fc30
2020-01-20 03:19:41
[SECURITY] Fedora 31 Update: python-pip-19.1.1-7.fc31
2020-01-08 11:55:39
[SECURITY] Fedora 30 Update: python-urllib3-1.24.3-1.fc30
2019-06-12 14:48:30
f5
f5
K000133547 : Python urllib3 vulnerability CVE-2020-26137
2023-04-18 00:00:00
alpinelinux
alpinelinux
CVE-2020-26137
2020-09-30 18:15:00
almalinux
almalinux
Moderate: python27:2.7 security, bug fix, and enhancement update
2020-04-28 08:55:59
Moderate: python27:2.7 security and bug fix update
2019-11-05 17:32:12
Moderate: python27:2.7 security and bug fix update
2021-05-18 06:02:07
cloudfoundry
cloudfoundry
USN-6473-1: urllib3 vulnerabilities | Cloud Foundry
2023-11-09 00:00:00
rocky
rocky
python27:2.7 security and bug fix update
2019-11-05 17:32:12
python27:2.7 security, bug fix, and enhancement update
2020-04-28 08:55:59
python27:2.7 security and bug fix update
2021-05-18 06:02:07
JSON
Related for DEBIAN_DLA-3610.NASL
openvas27debian2osv18nessus82suse2ibm4freebsd1ubuntu3mageia2photon4oraclelinux10redhat11centos4cve2redhatcve1debiancve2ubuntucve3veracode1github2prion2amazon3fedora4f51alpinelinux1almalinux3cloudfoundry1rocky3