Vulnerabilities on urllib3
shsnddn opened this issue · comments
shsnddn commented
Hi,
Dependabot flagged vulnerabilities for urllib3 below v1.26.5.
CVE-2020-26137
moderate severity
Vulnerable versions: < 1.25.9
Patched version: 1.25.9
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
GHSA-q2q7-5pp4-w6pg
moderate severity
Vulnerable versions: < 1.26.5
Patched version: 1.26.5
Impact
When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Patches
The issue has been fixed in urllib3 v1.26.5.
References
CVE-2021-33503
urllib3 v1.26.5
Tried to edit the requirements.txt to urllib3>=1.26.5 and wanted to send a PR for this, but I got the following error,
/var/task/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.5) or chardet (3.0.4) doesn't match a supported version!
Could anyone help with this?
shsnddn commented
Hi,
I was able to resolve the issue by adding
RUN pip3 install --upgrade requests
in the Dockerfile.
Thanks!