Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: High] CRLF injection found in urllib3 [due: 9/5/2019] #3896

Closed
jason-upchurch opened this issue Aug 5, 2019 · 1 comment
Closed

[Snyk: High] CRLF injection found in urllib3 [due: 9/5/2019] #3896

jason-upchurch opened this issue Aug 5, 2019 · 1 comment
Assignees
@pkfec
Labels
Security: high Remediate within 30 days
Milestone
PI 9 innovation

Comments

@jason-upchurch
Copy link
Contributor

jason-upchurch commented Aug 5, 2019
edited
Loading

Summary

found in requirements-ci.txt:

High severity vulnerability found in urllib3
Description: CRLF injection
Info: https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-174323
Introduced through: codecov@2.0.9
From: codecov@2.0.9 > requests@2.21.0 > urllib3@1.24.1

High severity vulnerability found in urllib3
Description: Improper Certificate Validation
Info: https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-174464
Introduced through: codecov@2.0.9
From: codecov@2.0.9 > requests@2.21.0 > urllib3@1.24.1

Overview for CRLF injection

urllib3 is an HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to CRLF injection. Attacker who has the control of the requesting address parameter, could manipulate an HTTP header and attack an internal service.

Overview for Improper Certificate Validation

urllib3 is an HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Improper Certificate Validation. It mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates. This can result in SSL connections succeeding in situations where it should have failed.

Remediation

Upgrade urllib3 to version 1.24.3 or higher.
@jason-upchurch jason-upchurch added the Security: high Remediate within 30 days label Aug 5, 2019
@jason-upchurch jason-upchurch added this to the PI 9 innovation milestone Aug 5, 2019
@pkfec
Copy link
Contributor

pkfec commented Aug 19, 2019

urllib3 CRLF injection vulnerability has been fixed in 1.24 series and released as 1.24.3.
see more:urllib3/urllib3#1553

Our development environment is already running on the latest release of urllib3 v1.24.3 package.
No need to make any changes. Closing this issue.

@pkfec pkfec closed this as completed Aug 19, 2019
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkfec pkfec

Labels
Security: high Remediate within 30 days
Projects
None yet
Milestone
PI 9 innovation
Development

No branches or pull requests
3 participants
@pkfec @JonellaCulmer @jason-upchurch