CVE-2022-0391

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-0391
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-02-09 23:15:00 UTC
Updated2023-11-07 03:41:00 UTC
DescriptionA flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Risk And Classification

Problem Types: CWE-74

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 34 All All All
Operating System Fedoraproject Fedora 35 All All All
Application Netapp Active Iq Unified Manager - All All All
Application Netapp Hci - All All All
Hardware Netapp Hci Compute Node - All All All
Application Netapp Management Services For Element Software - All All All
Application Netapp Ontap Select Deploy Administration Utility - All All All
Application Netapp Solidfire Enterprise Sds Hci Storage Node - All All All
Application Oracle Http Server 12.2.1.3.0 All All All
Application Oracle Http Server 12.2.1.4.0 All All All
Application Oracle Zfs Storage Appliance Kit 8.8 All All All
Application Python Python All All All All
Application Python Python 3.10.0 alpha1 All All
Application Python Python 3.10.0 alpha2 All All
Application Python Python 3.10.0 alpha3 All All
Application Python Python 3.10.0 alpha4 All All
Application Python Python 3.10.0 alpha5 All All
Application Python Python 3.10.0 alpha6 All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 35 Update: python2.7-2.7.18-20.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Issue 43882: [security] urllib.parse should sanitize urls containing ASCII newline and tabs. - Python tracker MISC bugs.python.org
Oracle Critical Patch Update Advisory - April 2022 MISC www.oracle.com
Python, PyPy3: Multiple Vulnerabilities (GLSA 202305-02) — Gentoo security GENTOO security.gentoo.org
CVE-2022-0391 Python Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[SECURITY] Fedora 34 Update: python2.7-2.7.18-20.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] [DLA 3575-1] python2.7 security update MLIST lists.debian.org
[SECURITY] Fedora 34 Update: python2.7-2.7.18-20.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: python2.7-2.7.18-20.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159797 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2022-1764)
  • 159819 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2022-1821)
  • 160086 Oracle Enterprise Linux Security Update for python3 (ELSA-2022-6457)
  • 160754 Oracle Enterprise Linux Security Update for python (ELSA-2023-3550)
  • 198714 Ubuntu Security Notification for Python Vulnerabilities (USN-5342-1)
  • 240254 Red Hat Update for python27-python and python27-python-pip (RHSA-2022:1663)
  • 240287 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2022:1764)
  • 240302 Red Hat Update for python27:2.7 (RHSA-2022:1821)
  • 240663 Red Hat Update for python3 (RHSA-2022:6457)
  • 282346 Fedora Security Update for mingw (FEDORA-2022-7018d21c6b)
  • 282427 Fedora Security Update for python2.7 (FEDORA-2022-18ad73aba6)
  • 282428 Fedora Security Update for python2.7 (FEDORA-2022-ef99a016f6)
  • 296057 Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)
  • 353942 Amazon Linux Security Advisory for python : ALAS2-2022-1802
  • 353955 Amazon Linux Security Advisory for python27 : ALAS-2022-1593
  • 377718 Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2022:0170)
  • 6000148 Debian Security Update for python2.7 (DLA 3575-1)
  • 671550 EulerOS Security Update for python3 (EulerOS-SA-2022-1582)
  • 671609 EulerOS Security Update for python (EulerOS-SA-2022-1548)
  • 671614 EulerOS Security Update for python2 (EulerOS-SA-2022-1581)
  • 671634 EulerOS Security Update for python3 (EulerOS-SA-2022-1664)
  • 671643 EulerOS Security Update for python3 (EulerOS-SA-2022-1650)
  • 671674 EulerOS Security Update for python (EulerOS-SA-2022-1757)
  • 710714 Gentoo Linux Python, PyPy3 Multiple Vulnerabilities (GLSA 202305-02)
  • 751895 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:0882-1)
  • 751961 OpenSUSE Security Update for python (openSUSE-SU-2022:1091-1)
  • 751976 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:1140-1)
  • 751979 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:1091-1)
  • 900691 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (8534)
  • 902044 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (8535)
  • 940499 AlmaLinux Security Update for python27:2.7 (ALSA-2022:1821)
  • 940557 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2022:1764)
  • 940653 AlmaLinux Security Update for python3 (ALSA-2022:6457)
  • 960252 Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2022:1764)
  • 960259 Rocky Linux Security Update for python27:2.7 (RLSA-2022:1821)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report