Description

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.

Severity (CVSS)

Base score4.1
SeverityMedium
VersionCVSS 4.0
VectorCVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Provided byCNA

Weaknesses

  • CWE-74 — CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected products

VendorProductVersions
Python Software FoundationCPython0 to <3.15.0

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 24 Jun 2026 09:35 UTC.