A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
https://access.redhat.com/errata/RHSA-2019:1587
https://access.redhat.com/errata/RHSA-2019:1700
https://access.redhat.com/errata/RHSA-2019:2437
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160
https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09
https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468
https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html
https://security.netapp.com/advisory/ntap-20190617-0003/
Source: MITRE
Published: 2019-06-07
Updated: 2021-01-06
Type: CWE-255
Base Score: 5
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 10
Severity: MEDIUM
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 3.9
Severity: CRITICAL
OR
cpe:2.3:a:python:python:3.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.6.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.7:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.8.0a4 to 3.8.0b1 (inclusive)
OR
ID | Name | Product | Family | Severity |
---|---|---|---|---|
139757 | Debian DLA-2337-1 : python2.7 security update | Nessus | Debian Local Security Checks | medium |
138529 | Debian DLA-2280-1 : python3.5 security update | Nessus | Debian Local Security Checks | medium |
133448 | SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1) | Nessus | SuSE Local Security Checks | high |
133259 | SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy) | Nessus | SuSE Local Security Checks | critical |
133172 | openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy) | Nessus | SuSE Local Security Checks | critical |
133036 | SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy) | Nessus | SuSE Local Security Checks | critical |
131244 | Amazon Linux AMI : python34 (ALAS-2019-1324) | Nessus | Amazon Linux Local Security Checks | medium |
130797 | Fedora 29 : python35 (2019-d202cda4f8) | Nessus | Fedora Local Security Checks | medium |
130793 | Fedora 30 : python35 (2019-b06ec6159b) | Nessus | Fedora Local Security Checks | medium |
130784 | Fedora 31 : python35 (2019-57462fa10d) | Nessus | Fedora Local Security Checks | medium |
129618 | Fedora 31 : python34 (2019-50772cf122) | Nessus | Fedora Local Security Checks | medium |
129212 | EulerOS 2.0 SP3 : python (EulerOS-SA-2019-2019) | Nessus | Huawei Local Security Checks | medium |
129029 | Fedora 29 : python34 (2019-5dc275c9f2) | Nessus | Fedora Local Security Checks | medium |
129027 | Fedora 30 : python34 (2019-2b1f72899a) | Nessus | Fedora Local Security Checks | medium |
128937 | EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2019-1934) | Nessus | Huawei Local Security Checks | medium |
128918 | EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1866) | Nessus | Huawei Local Security Checks | medium |
128631 | Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1) | Nessus | Ubuntu Local Security Checks | medium |
128089 | EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1797) | Nessus | Huawei Local Security Checks | medium |
128019 | SUSE SLES12 Security Update : python3 (SUSE-SU-2019:2053-2) | Nessus | SuSE Local Security Checks | high |
127998 | openSUSE Security Update : python (openSUSE-2019-1906) | Nessus | SuSE Local Security Checks | medium |
127986 | RHEL 7 : Virtualization Manager (RHSA-2019:2437) | Nessus | Red Hat Local Security Checks | medium |
127815 | Amazon Linux AMI : python34 / python35,python36 (ALAS-2019-1259) | Nessus | Amazon Linux Local Security Checks | medium |
127814 | Amazon Linux AMI : python27 (ALAS-2019-1258) | Nessus | Amazon Linux Local Security Checks | medium |
127783 | SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2091-1) | Nessus | SuSE Local Security Checks | medium |
127770 | SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2064-1) | Nessus | SuSE Local Security Checks | medium |
127768 | SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2053-1) | Nessus | SuSE Local Security Checks | high |
127766 | SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2050-1) | Nessus | SuSE Local Security Checks | medium |
127514 | Fedora 29 : python3 / python3-docs (2019-60a1defcd1) | Nessus | Fedora Local Security Checks | medium |
127463 | Amazon Linux 2 : python3 (ALAS-2019-1259) | Nessus | Amazon Linux Local Security Checks | medium |
127462 | Amazon Linux 2 : python (ALAS-2019-1258) | Nessus | Amazon Linux Local Security Checks | medium |
127446 | NewStart CGSL CORE 5.05 / MAIN 5.05 : python Vulnerability (NS-SA-2019-0163) | Nessus | NewStart CGSL Local Security Checks | medium |
127440 | NewStart CGSL CORE 5.04 / MAIN 5.04 : python Vulnerability (NS-SA-2019-0160) | Nessus | NewStart CGSL Local Security Checks | medium |
127105 | Fedora 30 : python3 / python3-docs (2019-9bfb4a3e4b) | Nessus | Fedora Local Security Checks | medium |
127015 | EulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-1778) | Nessus | Huawei Local Security Checks | medium |
127008 | EulerOS 2.0 SP8 : python2 (EulerOS-SA-2019-1771) | Nessus | Huawei Local Security Checks | medium |
126659 | Fedora 29 : python36 (2019-7df59302e0) | Nessus | Fedora Local Security Checks | medium |
126658 | Fedora 30 : python36 (2019-7723d4774a) | Nessus | Fedora Local Security Checks | medium |
126222 | Debian DLA-1834-1 : python2.7 security update | Nessus | Debian Local Security Checks | medium |
126219 | CentOS 7 : python (CESA-2019:1587) | Nessus | CentOS Local Security Checks | medium |
126178 | Photon OS 1.0: Python3 PHSA-2019-1.0-0240 | Nessus | PhotonOS Local Security Checks | high |
126177 | Photon OS 1.0: Python2 PHSA-2019-1.0-0240 | Nessus | PhotonOS Local Security Checks | high |
126145 | Scientific Linux Security Update : python on SL7.x x86_64 (20190620) | Nessus | Scientific Linux Local Security Checks | medium |
126142 | Oracle Linux 7 : python (ELSA-2019-1587) | Nessus | Oracle Linux Local Security Checks | medium |
126109 | Photon OS 2.0: Python3 PHSA-2019-2.0-0165 | Nessus | PhotonOS Local Security Checks | high |
126108 | Photon OS 2.0: Python2 PHSA-2019-2.0-0165 | Nessus | PhotonOS Local Security Checks | high |
126089 | RHEL 7 : python (RHSA-2019:1587) | Nessus | Red Hat Local Security Checks | medium |