Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2020-26137, CVE-2020-7212, CVE-2021-33503]

May 3, 2025 invoker category_cve

Vulnerability Details

Basic Information

Title Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2020-26137, CVE-2020-7212, CVE-2021-33503]
Type ibm
Published 2025-05-03T07:17:21
Last Seen 2025-05-03T10:56:45
CVSS Score 7.5 (HIGH)

CVSS v3 Details

Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH

CVE Information

CVE IDs CVE-2020-26137, CVE-2020-7212, CVE-2021-33503
CWE
Bulletin Family software

Description

## Summary

The urllib3 package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE [CVE-2020-26137, CVE-2020-7212, CVE-2021-33503].

## Vulnerability Details

**CVEID:**CVE-2020-26137
**DESCRIPTION:** urllib3 is vulnerable to CRLF injection. By inserting CR and LF control characters in the first argument of putrequest(), a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189426 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2020-7212
**DESCRIPTION:** urllib3 is vulnerable to a denial of service, caused by a flaw in the _encode_invalid_chars function in util/url.py. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177323 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2021-33503
**DESCRIPTION:** urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203109 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM Cloud Pak for Data System 1.0| 1.0.0.0- 1.0.8.4

## Remediation/Fixes

**IBM strongly recommends addressing the vulnerability now by upgrading to latest version.**

Affected Product(s)| VRMF| Remediation/Fixes
—|—|—
IBM Cloud Pak for Data System 1.0| 1.0.9.0| Link to Fix Central

## Workarounds and Mitigations

None

##

Impact Assessment

Base Score 7.5
Severity HIGH

View full CVE details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.