CVE-2019-9636

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

http://www.securityfocus.com/bid/107400

https://access.redhat.com/errata/RHBA-2019:0763

https://access.redhat.com/errata/RHBA-2019:0764

https://access.redhat.com/errata/RHBA-2019:0959

https://access.redhat.com/errata/RHSA-2019:0710

https://access.redhat.com/errata/RHSA-2019:0765

https://access.redhat.com/errata/RHSA-2019:0806

https://access.redhat.com/errata/RHSA-2019:0902

https://access.redhat.com/errata/RHSA-2019:0981

https://access.redhat.com/errata/RHSA-2019:0997

https://access.redhat.com/errata/RHSA-2019:1467

https://access.redhat.com/errata/RHSA-2019:2980

https://access.redhat.com/errata/RHSA-2019:3170

https://bugs.python.org/issue36216

https://github.com/python/cpython/pull/12201

https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/

https://lists.fedoraproject.org/archives/list/[email protected]/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

https://lists.fedoraproject.org/archives/list/[email protected]/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/

https://lists.fedoraproject.org/archives/list/[email protected]/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/

https://lists.fedoraproject.org/archives/list/[email protected]/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/

https://lists.fedoraproject.org/archives/list/[email protected]/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/

https://lists.fedoraproject.org/archives/list/[email protected]/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/

https://lists.fedoraproject.org/archives/list/[email protected]/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/

https://lists.fedoraproject.org/archives/list/[email protected]/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/

https://lists.fedoraproject.org/archives/list/[email protected]/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/

https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html

https://security.gentoo.org/glsa/202003-26

https://security.netapp.com/advisory/ntap-20190517-0001/

https://usn.ubuntu.com/4127-1/

https://usn.ubuntu.com/4127-2/

https://www.oracle.com/security-alerts/cpujan2020.html

Details

Source: MITRE

Published: 2019-03-08

Updated: 2020-10-29

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (78 total)

IDNameProductFamilySeverity
151496F5 Networks BIG-IP : Python vulnerability (K57542514)NessusF5 Networks Local Security Checks
critical
145592CentOS 8 : python27:2.7 (CESA-2019:0981)NessusCentOS Local Security Checks
critical
144537Virtuozzo 6 : python / python-devel / python-libs / python-test / etc (VZLSA-2019-1467)NessusVirtuozzo Local Security Checks
critical
139757Debian DLA-2337-1 : python2.7 security updateNessusDebian Local Security Checks
critical
138529Debian DLA-2280-1 : python3.5 security updateNessusDebian Local Security Checks
critical
134603GLSA-202003-26 : Python: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
133448SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)NessusSuSE Local Security Checks
critical
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133172openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133036SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
131244Amazon Linux AMI : python34 (ALAS-2019-1324)NessusAmazon Linux Local Security Checks
critical
130797Fedora 29 : python35 (2019-d202cda4f8)NessusFedora Local Security Checks
critical
130793Fedora 30 : python35 (2019-b06ec6159b)NessusFedora Local Security Checks
critical
130784Fedora 31 : python35 (2019-57462fa10d)NessusFedora Local Security Checks
critical
130155RHEL 7 : python (RHSA-2019:3170)NessusRed Hat Local Security Checks
critical
129742RHEL 7 : python (RHSA-2019:2980)NessusRed Hat Local Security Checks
critical
129029Fedora 29 : python34 (2019-5dc275c9f2)NessusFedora Local Security Checks
critical
129027Fedora 30 : python34 (2019-2b1f72899a)NessusFedora Local Security Checks
critical
128700NewStart CGSL MAIN 4.06 : python Vulnerability (NS-SA-2019-0174)NessusNewStart CGSL Local Security Checks
critical
128631Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)NessusUbuntu Local Security Checks
critical
128019SUSE SLES12 Security Update : python3 (SUSE-SU-2019:2053-2)NessusSuSE Local Security Checks
critical
127998openSUSE Security Update : python (openSUSE-2019-1906)NessusSuSE Local Security Checks
critical
127783SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2091-1)NessusSuSE Local Security Checks
critical
127770SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2064-1)NessusSuSE Local Security Checks
critical
127768SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2053-1)NessusSuSE Local Security Checks
critical
127766SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2050-1)NessusSuSE Local Security Checks
critical
127576Oracle Linux 8 : python3 (ELSA-2019-0997)NessusOracle Linux Local Security Checks
critical
127571Oracle Linux 8 : python27:2.7 (ELSA-2019-0981)NessusOracle Linux Local Security Checks
critical
127514Fedora 29 : python3 / python3-docs (2019-60a1defcd1)NessusFedora Local Security Checks
critical
127453NewStart CGSL MAIN 4.05 : python Vulnerability (NS-SA-2019-0166)NessusNewStart CGSL Local Security Checks
critical
127255NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0061)NessusNewStart CGSL Local Security Checks
critical
127105Fedora 30 : python3 / python3-docs (2019-9bfb4a3e4b)NessusFedora Local Security Checks
critical
127071Amazon Linux AMI : python35 (ALAS-2019-1243)NessusAmazon Linux Local Security Checks
critical
126659Fedora 29 : python36 (2019-7df59302e0)NessusFedora Local Security Checks
critical
126658Fedora 30 : python36 (2019-7723d4774a)NessusFedora Local Security Checks
critical
126383Amazon Linux 2 : python (ALAS-2019-1230)NessusAmazon Linux Local Security Checks
critical
126346Amazon Linux AMI : python27 (ALAS-2019-1230)NessusAmazon Linux Local Security Checks
critical
126222Debian DLA-1834-1 : python2.7 security updateNessusDebian Local Security Checks
critical
126145Scientific Linux Security Update : python on SL7.x x86_64 (20190620)NessusScientific Linux Local Security Checks
critical
126074CentOS 6 : python (CESA-2019:1467)NessusCentOS Local Security Checks
critical
126041openSUSE Security Update : python (openSUSE-2019-1580)NessusSuSE Local Security Checks
critical
125916Scientific Linux Security Update : python on SL6.x i386/x86_64 (20190613)NessusScientific Linux Local Security Checks
critical
125915RHEL 6 : python (RHSA-2019:1467)NessusRed Hat Local Security Checks
critical
125914Oracle Linux 6 : python (ELSA-2019-1467)NessusOracle Linux Local Security Checks
critical
125764SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:1439-1)NessusSuSE Local Security Checks
critical
125604Amazon Linux AMI : python36 (ALAS-2019-1204)NessusAmazon Linux Local Security Checks
critical
125434Fedora 29 : python3 (2019-ec26883852)NessusFedora Local Security Checks
critical
125229Fedora 30 : python3 (2019-1ffd6b6064)NessusFedora Local Security Checks
critical
124937EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)NessusHuawei Local Security Checks
critical
124906EulerOS Virtualization for ARM 64 3.0.1.0 : python (EulerOS-SA-2019-1403)NessusHuawei Local Security Checks
critical
124848openSUSE Security Update : python3 (openSUSE-2019-1371)NessusSuSE Local Security Checks
critical
124673RHEL 8 : python3 (RHSA-2019:0997)NessusRed Hat Local Security Checks
critical
124668RHEL 8 : python27:2.7 (RHSA-2019:0981)NessusRed Hat Local Security Checks
critical
124655Amazon Linux AMI : python34 (ALAS-2019-1202)NessusAmazon Linux Local Security Checks
critical
124623EulerOS 2.0 SP3 : python (EulerOS-SA-2019-1337)NessusHuawei Local Security Checks
critical
124594Amazon Linux 2 : python3 (ALAS-2019-1204)NessusAmazon Linux Local Security Checks
critical
124524Fedora 30 : python3 (2019-a122fe704d)NessusFedora Local Security Checks
critical
124511Fedora 30 : python34 (2019-7d9f3cf3ce)NessusFedora Local Security Checks
critical
124492Fedora 30 : python35 (2019-51f1e08207)NessusFedora Local Security Checks
critical
124356openSUSE Security Update : python3 (openSUSE-2019-1282)NessusSuSE Local Security Checks
critical
124310openSUSE Security Update : python (openSUSE-2019-1273)NessusSuSE Local Security Checks
critical
124149SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:0972-1)NessusSuSE Local Security Checks
critical
124148SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:0971-1)NessusSuSE Local Security Checks
critical
124113SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:0961-1)NessusSuSE Local Security Checks
critical
124084SUSE SLES11 Security Update : python (SUSE-SU-2019:14018-1)NessusSuSE Local Security Checks
critical
124033CentOS 7 : python (CESA-2019:0710)NessusCentOS Local Security Checks
critical
123960Oracle Linux 7 : python (ELSA-2019-0710)NessusOracle Linux Local Security Checks
critical
123917Scientific Linux Security Update : python on SL7.x x86_64 (20190408)NessusScientific Linux Local Security Checks
critical
123915RHEL 7 : python (RHSA-2019:0710)NessusRed Hat Local Security Checks
critical
123762Fedora 28 : python3 (2019-86f32cbab1)NessusFedora Local Security Checks
critical
123745EulerOS Virtualization 2.5.3 : python (EulerOS-SA-2019-1277)NessusHuawei Local Security Checks
critical
123623EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1149)NessusHuawei Local Security Checks
critical
123598EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1124)NessusHuawei Local Security Checks
critical
123480Fedora 28 : python35 (2019-cf725dd20b)NessusFedora Local Security Checks
critical
123476Fedora 28 : python34 (2019-6baeb15da3)NessusFedora Local Security Checks
critical
123475Fedora 29 : python34 (2019-6b02154aa0)NessusFedora Local Security Checks
critical
123140Fedora 29 : python35 (2019-6e1938a3c5)NessusFedora Local Security Checks
critical
123099Fedora 29 : python3 (2019-243442e600)NessusFedora Local Security Checks
critical