Alpine: python2: security update to 2.7.15-r2

critical Tenable Self-Hosted Container Security Plugin ID 406734

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This
could make it easy to conduct denial of service attacks against Expat by constructing an XML document that
would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU
and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6,
3.4.0 through 3.4.9, 2.7.0 through 2.7.15. (CVE-2018-14647)

- Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding
(with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials,
cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit,
urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate
cookies or authentication data and send that information to a different host than when parsed correctly.
This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8,
v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1;
v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1,
v3.7.8, v3.7.8rc1, v3.7.9. (CVE-2019-9636)

- urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote
attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call. (CVE-2019-9948)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-14647

https://security.alpinelinux.org/vuln/CVE-2019-9636

https://security.alpinelinux.org/vuln/CVE-2019-9948

Plugin Details

Severity: Critical

ID: 406734

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.17

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-9948

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-9636

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/22/2018

Reference Information

CVE: CVE-2018-14647, CVE-2019-9636, CVE-2019-9948

BID: 105396, 107400, 107549

IAVA: 2021-A-0263-S