CVE-2019-9948

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html

http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html

http://www.securityfocus.com/bid/107549

https://access.redhat.com/errata/RHSA-2019:1700

https://access.redhat.com/errata/RHSA-2019:2030

https://access.redhat.com/errata/RHSA-2019:3335

https://access.redhat.com/errata/RHSA-2019:3520

https://bugs.python.org/issue35907

https://github.com/python/cpython/pull/11842

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/

https://lists.fedoraproject.org/archives/list/[email protected]/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/

https://seclists.org/bugtraq/2019/Oct/29

https://security.gentoo.org/glsa/202003-26

https://security.netapp.com/advisory/ntap-20190404-0004/

https://usn.ubuntu.com/4127-1/

https://usn.ubuntu.com/4127-2/

Details

Source: MITRE

Published: 2019-03-23

Updated: 2020-08-24

Type: CWE-22

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Impact Score: 5.2

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 2.0 to 2.7.15 (inclusive)

cpe:2.3:a:python:python:2.7.16:-:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:netapp:active_iq_performance_analytics_services:-:*:*:*:*:*:*:*

Tenable Plugins

View all (40 total)

IDNameProductFamilySeverity
145658CentOS 8 : python3 (CESA-2019:3520)NessusCentOS Local Security Checks
critical
145618CentOS 8 : python27:2.7 (CESA-2019:3335)NessusCentOS Local Security Checks
critical
139757Debian DLA-2337-1 : python2.7 security updateNessusDebian Local Security Checks
critical
138529Debian DLA-2280-1 : python3.5 security updateNessusDebian Local Security Checks
critical
135459RHEL 7 : python (RHSA-2020:1462)NessusRed Hat Local Security Checks
critical
135247RHEL 7 : python (RHSA-2020:1346)NessusRed Hat Local Security Checks
critical
135089RHEL 7 : python (RHSA-2020:1268)NessusRed Hat Local Security Checks
critical
134603GLSA-202003-26 : Python: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
132508NewStart CGSL CORE 5.05 / MAIN 5.05 : python Multiple Vulnerabilities (NS-SA-2019-0229)NessusNewStart CGSL Local Security Checks
critical
131244Amazon Linux AMI : python34 (ALAS-2019-1324)NessusAmazon Linux Local Security Checks
critical
130548RHEL 8 : python3 (RHSA-2019:3520)NessusRed Hat Local Security Checks
critical
130527RHEL 8 : python27:2.7 (RHSA-2019:3335)NessusRed Hat Local Security Checks
critical
130079Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2019-293-01)NessusSlackware Local Security Checks
critical
129884NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0187)NessusNewStart CGSL Local Security Checks
critical
129450EulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-2091)NessusHuawei Local Security Checks
critical
129212EulerOS 2.0 SP3 : python (EulerOS-SA-2019-2019)NessusHuawei Local Security Checks
critical
129070Amazon Linux 2 : python (ALAS-2019-1291)NessusAmazon Linux Local Security Checks
critical
128918EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1866)NessusHuawei Local Security Checks
critical
128631Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)NessusUbuntu Local Security Checks
critical
128333CentOS 7 : python (CESA-2019:2030)NessusCentOS Local Security Checks
critical
128254Scientific Linux Security Update : python on SL7.x x86_64 (20190806)NessusScientific Linux Local Security Checks
critical
127814Amazon Linux AMI : python27 (ALAS-2019-1258)NessusAmazon Linux Local Security Checks
critical
127651RHEL 7 : python (RHSA-2019:2030)NessusRed Hat Local Security Checks
critical
127514Fedora 29 : python3 / python3-docs (2019-60a1defcd1)NessusFedora Local Security Checks
critical
127105Fedora 30 : python3 / python3-docs (2019-9bfb4a3e4b)NessusFedora Local Security Checks
critical
126667FreeBSD : python 3.7 -- multiple vulnerabilities (a449c604-a43a-11e9-b422-fcaa147e860e)NessusFreeBSD Local Security Checks
critical
126652Debian DLA-1852-1 : python3.4 security updateNessusDebian Local Security Checks
critical
126534FreeBSD : python 3.6 -- multiple vulnerabilities (18ed9650-a1d6-11e9-9b17-fcaa147e860e)NessusFreeBSD Local Security Checks
critical
126380Photon OS 3.0: Python2 PHSA-2019-3.0-0009NessusPhotonOS Local Security Checks
critical
126222Debian DLA-1834-1 : python2.7 security updateNessusDebian Local Security Checks
critical
126041openSUSE Security Update : python (openSUSE-2019-1580)NessusSuSE Local Security Checks
critical
125764SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:1439-1)NessusSuSE Local Security Checks
critical
125159Photon OS 1.0: Python2 PHSA-2019-1.0-0220NessusPhotonOS Local Security Checks
high
124937EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)NessusHuawei Local Security Checks
critical
124737EulerOS Virtualization 2.5.3 : python (EulerOS-SA-2019-1359)NessusHuawei Local Security Checks
critical
124624EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1338)NessusHuawei Local Security Checks
critical
124310openSUSE Security Update : python (openSUSE-2019-1273)NessusSuSE Local Security Checks
critical
124149SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:0972-1)NessusSuSE Local Security Checks
critical
124084SUSE SLES11 Security Update : python (SUSE-SU-2019:14018-1)NessusSuSE Local Security Checks
critical