CVE-2019-9948

MEDIUM

Description

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html

http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html

http://www.securityfocus.com/bid/107549

https://access.redhat.com/errata/RHSA-2019:1700

https://access.redhat.com/errata/RHSA-2019:2030

https://access.redhat.com/errata/RHSA-2019:3335

https://access.redhat.com/errata/RHSA-2019:3520

https://bugs.python.org/issue35907

https://github.com/python/cpython/pull/11842

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/

https://lists.fedoraproject.org/archives/list/[email protected]/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/

https://seclists.org/bugtraq/2019/Oct/29

https://security.gentoo.org/glsa/202003-26

https://security.netapp.com/advisory/ntap-20190404-0004/

https://usn.ubuntu.com/4127-1/

https://usn.ubuntu.com/4127-2/

Details

Source: MITRE

Published: 2019-03-23

Updated: 2020-08-24

Type: CWE-22

Risk Information

CVSS v2.0

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Impact Score: 5.2

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 2.0 to 2.7.15 (inclusive)

cpe:2.3:a:python:python:2.7.16:-:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:netapp:active_iq_performance_analytics_services:-:*:*:*:*:*:*:*

Tenable Plugins

View all (40 total)

IDNameProductFamilySeverity
145658CentOS 8 : python3 (CESA-2019:3520)NessusCentOS Local Security Checks
medium
145618CentOS 8 : python27:2.7 (CESA-2019:3335)NessusCentOS Local Security Checks
high
139757Debian DLA-2337-1 : python2.7 security updateNessusDebian Local Security Checks
medium
138529Debian DLA-2280-1 : python3.5 security updateNessusDebian Local Security Checks
medium
135459RHEL 7 : python (RHSA-2020:1462)NessusRed Hat Local Security Checks
medium
135247RHEL 7 : python (RHSA-2020:1346)NessusRed Hat Local Security Checks
medium
135089RHEL 7 : python (RHSA-2020:1268)NessusRed Hat Local Security Checks
medium
134603GLSA-202003-26 : Python: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
132508NewStart CGSL CORE 5.05 / MAIN 5.05 : python Multiple Vulnerabilities (NS-SA-2019-0229)NessusNewStart CGSL Local Security Checks
medium
131244Amazon Linux AMI : python34 (ALAS-2019-1324)NessusAmazon Linux Local Security Checks
medium
130548RHEL 8 : python3 (RHSA-2019:3520)NessusRed Hat Local Security Checks
medium
130527RHEL 8 : python27:2.7 (RHSA-2019:3335)NessusRed Hat Local Security Checks
high
130079Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2019-293-01)NessusSlackware Local Security Checks
medium
129884NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0187)NessusNewStart CGSL Local Security Checks
medium
129450EulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-2091)NessusHuawei Local Security Checks
medium
129212EulerOS 2.0 SP3 : python (EulerOS-SA-2019-2019)NessusHuawei Local Security Checks
medium
129070Amazon Linux 2 : python (ALAS-2019-1291)NessusAmazon Linux Local Security Checks
medium
128918EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1866)NessusHuawei Local Security Checks
medium
128631Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)NessusUbuntu Local Security Checks
medium
128333CentOS 7 : python (CESA-2019:2030)NessusCentOS Local Security Checks
medium
128254Scientific Linux Security Update : python on SL7.x x86_64 (20190806)NessusScientific Linux Local Security Checks
medium
127814Amazon Linux AMI : python27 (ALAS-2019-1258)NessusAmazon Linux Local Security Checks
medium
127651RHEL 7 : python (RHSA-2019:2030)NessusRed Hat Local Security Checks
medium
127514Fedora 29 : python3 / python3-docs (2019-60a1defcd1)NessusFedora Local Security Checks
medium
127105Fedora 30 : python3 / python3-docs (2019-9bfb4a3e4b)NessusFedora Local Security Checks
medium
126667FreeBSD : python 3.7 -- multiple vulnerabilities (a449c604-a43a-11e9-b422-fcaa147e860e)NessusFreeBSD Local Security Checks
medium
126652Debian DLA-1852-1 : python3.4 security updateNessusDebian Local Security Checks
medium
126534FreeBSD : python 3.6 -- multiple vulnerabilities (18ed9650-a1d6-11e9-9b17-fcaa147e860e)NessusFreeBSD Local Security Checks
medium
126380Photon OS 3.0: Python2 PHSA-2019-3.0-0009NessusPhotonOS Local Security Checks
critical
126222Debian DLA-1834-1 : python2.7 security updateNessusDebian Local Security Checks
medium
126041openSUSE Security Update : python (openSUSE-2019-1580)NessusSuSE Local Security Checks
medium
125764SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:1439-1)NessusSuSE Local Security Checks
medium
125159Photon OS 1.0: Python2 PHSA-2019-1.0-0220NessusPhotonOS Local Security Checks
high
124937EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)NessusHuawei Local Security Checks
critical
124737EulerOS Virtualization 2.5.3 : python (EulerOS-SA-2019-1359)NessusHuawei Local Security Checks
medium
124624EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1338)NessusHuawei Local Security Checks
medium
124310openSUSE Security Update : python (openSUSE-2019-1273)NessusSuSE Local Security Checks
medium
124149SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:0972-1)NessusSuSE Local Security Checks
medium
124084SUSE SLES11 Security Update : python (SUSE-SU-2019:14018-1)NessusSuSE Local Security Checks
medium