{
  "threat_severity" : "Moderate",
  "public_date" : "2020-05-20T00:00:00Z",
  "bugzilla" : {
    "description" : "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function",
    "id" : "1845937",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1845937"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-113",
  "details" : [ "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", "A flaw was found in python-httplib2. An attacker controlling an unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping." ],
  "statement" : "While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay.\nRed Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low.\nThis issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.\nThere's currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed.\nIn Red Hat OpenStack Platform13, because the flaw has a lower impact and the package's indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-11-10T00:00:00Z",
    "advisory" : "RHSA-2020:5004",
    "cpe" : "cpe:/a:redhat:rhel_extras_sap:7",
    "package" : "resource-agents-0:4.1.1-61.el7_9.4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-11-10T00:00:00Z",
    "advisory" : "RHSA-2020:5003",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "fence-agents-0:4.2.1-41.el7_9.2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-11-10T00:00:00Z",
    "advisory" : "RHSA-2020:5004",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "resource-agents-0:4.1.1-61.el7_9.4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4605",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::highavailability",
    "package" : "resource-agents-0:4.1.1-68.el8",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "release_date" : "2021-05-26T00:00:00Z",
    "advisory" : "RHSA-2021:2116",
    "cpe" : "cpe:/a:redhat:openstack:16.1::el8",
    "package" : "python-httplib2-0:0.13.1-2.el8ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Engine 2",
    "fix_state" : "Out of support scope",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:ansible_engine:2"
  }, {
    "product_name" : "Red Hat Ansible Tower 3",
    "fix_state" : "Out of support scope",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:ansible_tower:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Will not fix",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Update Infrastructure 3 for Cloud Providers",
    "fix_state" : "Fix deferred",
    "package_name" : "python-httplib2",
    "cpe" : "cpe:/a:redhat:rhui:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11078\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11078\nhttps://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq" ],
  "name" : "CVE-2020-11078",
  "csaw" : false
}