CVE-2019-9636

MEDIUM

Description

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

http://www.securityfocus.com/bid/107400

https://access.redhat.com/errata/RHBA-2019:0763

https://access.redhat.com/errata/RHBA-2019:0764

https://access.redhat.com/errata/RHBA-2019:0959

https://access.redhat.com/errata/RHSA-2019:0710

https://access.redhat.com/errata/RHSA-2019:0765

https://access.redhat.com/errata/RHSA-2019:0806

https://access.redhat.com/errata/RHSA-2019:0902

https://access.redhat.com/errata/RHSA-2019:0981

https://access.redhat.com/errata/RHSA-2019:0997

https://access.redhat.com/errata/RHSA-2019:1467

https://access.redhat.com/errata/RHSA-2019:2980

https://access.redhat.com/errata/RHSA-2019:3170

https://bugs.python.org/issue36216

https://github.com/python/cpython/pull/12201

https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/

https://lists.fedoraproject.org/archives/list/[email protected]/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

https://lists.fedoraproject.org/archives/list/[email protected]/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/

https://lists.fedoraproject.org/archives/list/[email protected]/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/

https://lists.fedoraproject.org/archives/list/[email protected]/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/

https://lists.fedoraproject.org/archives/list/[email protected]/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/

https://lists.fedoraproject.org/archives/list/[email protected]/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/

https://lists.fedoraproject.org/archives/list/[email protected]/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/

https://lists.fedoraproject.org/archives/list/[email protected]/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/

https://lists.fedoraproject.org/archives/list/[email protected]/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/

https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html

https://security.gentoo.org/glsa/202003-26

https://security.netapp.com/advisory/ntap-20190517-0001/

https://usn.ubuntu.com/4127-1/

https://usn.ubuntu.com/4127-2/

https://www.oracle.com/security-alerts/cpujan2020.html

Details

Source: MITRE

Published: 2019-03-08

Updated: 2020-10-29

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (77 total)

IDNameProductFamilySeverity
145592CentOS 8 : python27:2.7 (CESA-2019:0981)NessusCentOS Local Security Checks
high
144537Virtuozzo 6 : python / python-devel / python-libs / python-test / etc (VZLSA-2019-1467)NessusVirtuozzo Local Security Checks
medium
139757Debian DLA-2337-1 : python2.7 security updateNessusDebian Local Security Checks
medium
138529Debian DLA-2280-1 : python3.5 security updateNessusDebian Local Security Checks
medium
134603GLSA-202003-26 : Python: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
133448SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)NessusSuSE Local Security Checks
high
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133172openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133036SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
131244Amazon Linux AMI : python34 (ALAS-2019-1324)NessusAmazon Linux Local Security Checks
medium
130797Fedora 29 : python35 (2019-d202cda4f8)NessusFedora Local Security Checks
medium
130793Fedora 30 : python35 (2019-b06ec6159b)NessusFedora Local Security Checks
medium
130784Fedora 31 : python35 (2019-57462fa10d)NessusFedora Local Security Checks
medium
130155RHEL 7 : python (RHSA-2019:3170)NessusRed Hat Local Security Checks
medium
129742RHEL 7 : python (RHSA-2019:2980)NessusRed Hat Local Security Checks
medium
129029Fedora 29 : python34 (2019-5dc275c9f2)NessusFedora Local Security Checks
medium
129027Fedora 30 : python34 (2019-2b1f72899a)NessusFedora Local Security Checks
medium
128700NewStart CGSL MAIN 4.06 : python Vulnerability (NS-SA-2019-0174)NessusNewStart CGSL Local Security Checks
medium
128631Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)NessusUbuntu Local Security Checks
medium
128019SUSE SLES12 Security Update : python3 (SUSE-SU-2019:2053-2)NessusSuSE Local Security Checks
high
127998openSUSE Security Update : python (openSUSE-2019-1906)NessusSuSE Local Security Checks
medium
127783SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2091-1)NessusSuSE Local Security Checks
medium
127770SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2064-1)NessusSuSE Local Security Checks
medium
127768SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2053-1)NessusSuSE Local Security Checks
high
127766SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2050-1)NessusSuSE Local Security Checks
medium
127576Oracle Linux 8 : python3 (ELSA-2019-0997)NessusOracle Linux Local Security Checks
medium
127571Oracle Linux 8 : python27:2.7 (ELSA-2019-0981)NessusOracle Linux Local Security Checks
high
127514Fedora 29 : python3 / python3-docs (2019-60a1defcd1)NessusFedora Local Security Checks
medium
127453NewStart CGSL MAIN 4.05 : python Vulnerability (NS-SA-2019-0166)NessusNewStart CGSL Local Security Checks
medium
127255NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0061)NessusNewStart CGSL Local Security Checks
medium
127105Fedora 30 : python3 / python3-docs (2019-9bfb4a3e4b)NessusFedora Local Security Checks
medium
127071Amazon Linux AMI : python35 (ALAS-2019-1243)NessusAmazon Linux Local Security Checks
medium
126659Fedora 29 : python36 (2019-7df59302e0)NessusFedora Local Security Checks
medium
126658Fedora 30 : python36 (2019-7723d4774a)NessusFedora Local Security Checks
medium
126383Amazon Linux 2 : python (ALAS-2019-1230)NessusAmazon Linux Local Security Checks
medium
126346Amazon Linux AMI : python27 (ALAS-2019-1230)NessusAmazon Linux Local Security Checks
medium
126222Debian DLA-1834-1 : python2.7 security updateNessusDebian Local Security Checks
medium
126145Scientific Linux Security Update : python on SL7.x x86_64 (20190620)NessusScientific Linux Local Security Checks
medium
126074CentOS 6 : python (CESA-2019:1467)NessusCentOS Local Security Checks
medium
126041openSUSE Security Update : python (openSUSE-2019-1580)NessusSuSE Local Security Checks
medium
125916Scientific Linux Security Update : python on SL6.x i386/x86_64 (20190613)NessusScientific Linux Local Security Checks
medium
125915RHEL 6 : python (RHSA-2019:1467)NessusRed Hat Local Security Checks
medium
125914Oracle Linux 6 : python (ELSA-2019-1467)NessusOracle Linux Local Security Checks
medium
125764SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:1439-1)NessusSuSE Local Security Checks
medium
125604Amazon Linux AMI : python36 (ALAS-2019-1204)NessusAmazon Linux Local Security Checks
medium
125434Fedora 29 : python3 (2019-ec26883852)NessusFedora Local Security Checks
medium
125229Fedora 30 : python3 (2019-1ffd6b6064)NessusFedora Local Security Checks
medium
124937EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)NessusHuawei Local Security Checks
critical
124906EulerOS Virtualization for ARM 64 3.0.1.0 : python (EulerOS-SA-2019-1403)NessusHuawei Local Security Checks
medium
124848openSUSE Security Update : python3 (openSUSE-2019-1371)NessusSuSE Local Security Checks
medium
124673RHEL 8 : python3 (RHSA-2019:0997)NessusRed Hat Local Security Checks
medium
124668RHEL 8 : python27:2.7 (RHSA-2019:0981)NessusRed Hat Local Security Checks
high
124655Amazon Linux AMI : python34 (ALAS-2019-1202)NessusAmazon Linux Local Security Checks
medium
124623EulerOS 2.0 SP3 : python (EulerOS-SA-2019-1337)NessusHuawei Local Security Checks
medium
124594Amazon Linux 2 : python3 (ALAS-2019-1204)NessusAmazon Linux Local Security Checks
medium
124524Fedora 30 : python3 (2019-a122fe704d)NessusFedora Local Security Checks
medium
124511Fedora 30 : python34 (2019-7d9f3cf3ce)NessusFedora Local Security Checks
medium
124492Fedora 30 : python35 (2019-51f1e08207)NessusFedora Local Security Checks
medium
124356openSUSE Security Update : python3 (openSUSE-2019-1282)NessusSuSE Local Security Checks
medium
124310openSUSE Security Update : python (openSUSE-2019-1273)NessusSuSE Local Security Checks
medium
124149SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:0972-1)NessusSuSE Local Security Checks
medium
124148SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:0971-1)NessusSuSE Local Security Checks
medium
124113SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:0961-1)NessusSuSE Local Security Checks
medium
124084SUSE SLES11 Security Update : python (SUSE-SU-2019:14018-1)NessusSuSE Local Security Checks
medium
124033CentOS 7 : python (CESA-2019:0710)NessusCentOS Local Security Checks
medium
123960Oracle Linux 7 : python (ELSA-2019-0710)NessusOracle Linux Local Security Checks
medium
123917Scientific Linux Security Update : python on SL7.x x86_64 (20190408)NessusScientific Linux Local Security Checks
medium
123915RHEL 7 : python (RHSA-2019:0710)NessusRed Hat Local Security Checks
medium
123762Fedora 28 : python3 (2019-86f32cbab1)NessusFedora Local Security Checks
medium
123745EulerOS Virtualization 2.5.3 : python (EulerOS-SA-2019-1277)NessusHuawei Local Security Checks
medium
123623EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1149)NessusHuawei Local Security Checks
medium
123598EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1124)NessusHuawei Local Security Checks
medium
123480Fedora 28 : python35 (2019-cf725dd20b)NessusFedora Local Security Checks
medium
123476Fedora 28 : python34 (2019-6baeb15da3)NessusFedora Local Security Checks
medium
123475Fedora 29 : python34 (2019-6b02154aa0)NessusFedora Local Security Checks
medium
123140Fedora 29 : python35 (2019-6e1938a3c5)NessusFedora Local Security Checks
medium
123099Fedora 29 : python3 (2019-243442e600)NessusFedora Local Security Checks
medium