From 4ee2c083dc6cfae426a005441fe82adcced156ae Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Tue, 29 Sep 2020 00:37:07 +0200
Subject: [PATCH] CVE-2020-26116

---
 cve/CVE-2020-26116.json | 19 +++++++++++++++++++
 vulnerabilities.yaml    |  1 +
 2 files changed, 20 insertions(+)
 create mode 100644 cve/CVE-2020-26116.json

diff --git a/cve/CVE-2020-26116.json b/cve/CVE-2020-26116.json
new file mode 100644
index 0000000..a0d9b78
--- /dev/null
+++ b/cve/CVE-2020-26116.json
@@ -0,0 +1,19 @@
+{
+    "Modified": "2020-09-27T04:15:00",
+    "Published": "2020-09-27T04:15:00",
+    "access": {},
+    "assigner": "cve@mitre.org",
+    "cvss": 5.0,
+    "cwe": "Unknown",
+    "id": "CVE-2020-26116",
+    "impact": {},
+    "last-modified": "2020-09-27T22:01:00",
+    "references": [
+        "https://bugs.python.org/issue39603",
+        "https://python-security.readthedocs.io/vuln/http-header-injection-method.html"
+    ],
+    "summary": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.",
+    "vulnerable_configuration": [],
+    "vulnerable_configuration_cpe_2_2": [],
+    "vulnerable_product": []
+}
\ No newline at end of file
diff --git a/vulnerabilities.yaml b/vulnerabilities.yaml
index 2f417d3..0d4465d 100644
--- a/vulnerabilities.yaml
+++ b/vulnerabilities.yaml
@@ -1571,6 +1571,7 @@
 
 - name: "http.client: HTTP Header Injection in the HTTP method"
   slug: http-header-injection-method
+  cve: CVE-2020-26116
   bpo: 39603
   fixed-in:
    - 3.5: 524b8de630036a29ca340bc2ae6fd6dc7dda8f40