CVE编号
CVE-2020-26116利用情况
暂无补丁情况
官方补丁披露时间
2020-09-27漏洞描述
Python是Python软件基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。 Python http.client存在注入漏洞。该漏洞源于用户输入构造命令、数据结构或记录的操作过程中,网络系统或产品缺乏对用户输入数据的正确验证,未过滤或未正确过滤掉其中的特殊元素,导致系统或产品产生解析或解释方式错误。以下产品及版本受到影响:Python 3.x系列3.5.10之前版本, 3.6.x系列3.6.12之前版本, 3.7.x系列3.7.9之前版本, 3.8.x系列3.8.5之前版本。解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://python-security.readthedocs.io/vuln/http-header-injection-method.html
参考链接 |
|
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html | |
| https://bugs.python.org/issue39603 | |
| https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://python-security.readthedocs.io/vuln/http-header-injection-method.html | |
| https://security.gentoo.org/glsa/202101-18 | |
| https://security.netapp.com/advisory/ntap-20201023-0001/ | |
| https://usn.ubuntu.com/4581-1/ | |
| https://www.oracle.com/security-alerts/cpuoct2021.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | python | python | * |
From (including) 3.0.0 |
Up to (excluding) 3.5.10 |
||||
| 运行在以下环境 | |||||||||
| 应用 | python | python | * |
From (including) 3.6.0 |
Up to (excluding) 3.6.12 |
||||
| 运行在以下环境 | |||||||||
| 应用 | python | python | * |
From (including) 3.7.0 |
Up to (excluding) 3.7.9 |
||||
| 运行在以下环境 | |||||||||
| 应用 | python | python | * |
From (including) 3.8.0 |
Up to (excluding) 3.8.5 |
||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_2 | python | * |
Up to (excluding) 2.7.18-1.amzn2.0.4 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_AMI | python3.5 | * |
Up to (excluding) 2.7.18-2.140.amzn1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | centos_8 | python | * |
Up to (excluding) 3.6.8-37.el8 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | python3.5 | * |
Up to (excluding) 3.7.3-2+deb10u3 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | python3.5 | * |
Up to (excluding) 3.5.3-1+deb9u3 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_31 | python3.5 | * |
Up to (excluding) 2.7.18-6.fc31 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_32 | python3.5 | * |
Up to (excluding) 2.7.18-6.fc32 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_33 | python3.5 | * |
Up to (excluding) 2.7.18-6.fc33 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_EPEL_7 | python3.5 | * |
Up to (excluding) 3.4.10-7.el7 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.1 | python3.5 | * |
Up to (excluding) 2.7.17-lp151.10.25.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.2 | python | * |
Up to (excluding) 2.7.17-lp152.3.6.2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | oracle_8 | python | * |
Up to (excluding) 3.6.8-37.0.1.el8 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_8 | python | * |
Up to (excluding) 3.6.8-37.el8 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP5 | python3.5 | * |
Up to (excluding) 1.22-3.23.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_14.04 | python | * |
Up to (excluding) 3.4.3-1ubuntu1~14.04.7+esm8 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_16.04 | python | * |
Up to (excluding) 2.7.12-1ubuntu0~16.04.13 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04 | python | * |
Up to (excluding) 3.7.5-2~18.04.4 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_20.04 | python | * |
Up to (excluding) 2.7.18-1~20.04.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | unionos_20 | python | * |
Up to (excluding) 3.7.3.2-1+dde |
|||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 传输被破坏
- 服务器危害 无影响
- 全网数量 N/A
还没有评论,来说两句吧...