NewStart CGSL MAIN 4.06 : python Vulnerability (NS-SA-2019-0174)

Medium Nessus Plugin ID 128700

Synopsis

The remote machine is affected by a vulnerability.

Description

The remote NewStart CGSL host, running version MAIN 4.06, has python packages installed that are affected by a vulnerability:

- Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
(CVE-2019-9636)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL python packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2019-0174

Plugin Details

Severity: Medium

ID: 128700

File Name: newstart_cgsl_NS-SA-2019-0174_python.nasl

Version: 1.5

Type: local

Published: 2019/09/11

Updated: 2019/09/11

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2019-9636

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Patch Publication Date: 2019/08/29

Vulnerability Publication Date: 2019/03/08

Reference Information

CVE: CVE-2019-9636

BID: 107400