NewStart CGSL MAIN 4.06 : python Vulnerability (NS-SA-2019-0174)
Medium Nessus Plugin ID 128700
SynopsisThe remote machine is affected by a vulnerability.
DescriptionThe remote NewStart CGSL host, running version MAIN 4.06, has python packages installed that are affected by a vulnerability:
- Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade the vulnerable CGSL python packages. Note that updated packages may not be available yet. Please contact ZTE for more information.