Httplib2
CVE-2020-11078
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 3 pypi packages depend on httplib2 (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.18.0.
DescriptionNVD
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
AnalysisAI
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required.
Technical ContextAI
This vulnerability is classified under CWE-93. In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. Affected products include: Httplib2 Project Httplib2, Fedoraproject Fedora, Debian Debian Linux. Version information: version 0.18.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromi
httplib2 is a comprehensive HTTP client library for Python. Rated high severity (CVSS 7.5), this vulnerability is remote
httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today