6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11078

GHSA ID

GHSA-gg84-qgv9-w4pq

EPSS Score

0.8645%

CWE

CWE-93

Published

5/20/2020

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-11078

CVE-2020-11078: CRLF injection in httplib2

Impact

Attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server.

Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.

Patches

Problem has been fixed in 0.18.0 Space, CR, LF characters are now quoted before any use. This solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.

Workarounds

Create URI with urllib.parse family functions: urlencode, urlunsplit.

user_input = " HTTP/1.1\r\ninjected: attack\r\nignore-http:"
-uri = "https://api.server/?q={}".format(user_input)
+uri = urllib.parse.urlunsplit(("https", "api.server", "/v1", urllib.parse.urlencode({"q": user_input}), ""))
http.request(uri)

References

https://cwe.mitre.org/data/definitions/93.html https://docs.python.org/3/library/urllib.parse.html

Thanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.

For more information

If you have any questions or comments about this advisory:

Open an issue in httplib2
Email current maintainer at 2020-05

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11078

GHSA ID

GHSA-gg84-qgv9-w4pq

EPSS Score

0.8645%

CWE

CWE-93

Published

5/20/2020

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
httplib2	pip	< 0.18.0	0.18.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the request method's handling of URI parameters before the security patch. The commit diff shows critical sanitization (replacing CR/LF/space with %-encodings) was added directly in the request method's flow. The advisory explicitly references httplib2.Http.request() as the entry point, and the CWE-93 classification matches the CRLF injection via unescaped URI components. The vulnerable pattern occurs when URIs are constructed via string concatenation rather than proper URL building utilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *tt**k*r *ontrollin* un*s**p** p*rt o* uri *or `*ttpli**.*ttp.r*qu*st()` *oul* ***n** r*qu*st *****rs *n* *o*y, s*n* ***ition*l *i***n r*qu*sts to s*m* s*rv*r. Imp**ts so*tw*r* t**t us*s *ttpli** wit* uri *onstru*t** *y strin* *on**t*n*ti

Reasoning

T** vuln*r**ility st*ms *rom t** r*qu*st m*t*o*'s **n*lin* o* URI p*r*m*t*rs ***or* t** s**urity p*t**. T** *ommit *i** s*ows *riti**l s*nitiz*tion (r*pl**in* *R/L*/sp*** wit* %-*n*o*in*s) w*s ***** *ir**tly in t** r*qu*st m*t*o*'s *low. T** **visory

6.8

Basic Information

Concerned about an active attack path?

CVE-2020-11078: CRLF injection in httplib2

Impact

Patches

Workarounds

References

For more information

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI