{"id":"CVE-2020-11078","details":"In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.","aliases":["GHSA-gg84-qgv9-w4pq","PYSEC-2020-46"],"modified":"2026-04-16T04:30:41.461110058Z","published":"2020-05-20T16:15:10.657Z","related":["GHSA-gg84-qgv9-w4pq","SUSE-SU-2021:1637-1","SUSE-SU-2021:1779-1","SUSE-SU-2021:1806-1","SUSE-SU-2021:1807-1","SUSE-SU-2021:1808-1","openSUSE-SU-2021:0772-1","openSUSE-SU-2021:0796-1","openSUSE-SU-2021:1806-1","openSUSE-SU-2024:11231-1","openSUSE-SU-2024:14141-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"},{"type":"FIX","url":"https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"},{"type":"FIX","url":"https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/httplib2/httplib2","events":[{"introduced":"0"},{"fixed":"8373177d3a9e4dd9c956f9bded22a5f96a00957b"},{"fixed":"a1457cc31f3206cf691d11d2bf34e98865873e9e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.18.0"}]}}],"versions":["0.9","0.9.1","0.9.2","v0.10.1","v0.10.3","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.12.3","v0.13.0","v0.13.1","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.17.1","v0.17.2","v0.17.3","v0.17.4","v0.9","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11078.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"}]}