CVE-2019-9636 Information
Description
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials cookies etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17 v2.7.17rc1 v2.7.18 v2.7.18rc1; v3.5.10 v3.5.10rc1 v3.5.7 v3.5.8 v3.5.8rc1 v3.5.8rc2 v3.5.9; v3.6.10 v3.6.10rc1 v3.6.11 v3.6.11rc1 v3.6.12 v3.6.9 v3.6.9rc1; v3.7.3 v3.7.3rc1 v3.7.4 v3.7.4rc1 v3.7.4rc2 v3.7.5 v3.7.5rc1 v3.7.6 v3.7.6rc1 v3.7.7 v3.7.7rc1 v3.7.8 v3.7.8rc1 v3.7.9.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html http://www.securityfocus.com/bid/107400 https://access.redhat.com/errata/RHBA-2019:0763 https://access.redhat.com/errata/RHBA-2019:0764 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0710 https://access.redhat.com/errata/RHSA-2019:0765 https://access.redhat.com/errata/RHSA-2019:0806 https://access.redhat.com/errata/RHSA-2019:0902 https://access.redhat.com/errata/RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0997 https://access.redhat.com/errata/RHSA-2019:1467 https://access.redhat.com/errata/RHSA-2019:2980 https://access.redhat.com/errata/RHSA-2019:3170 https://bugs.python.org/issue36216 https://github.com/python/cpython/pull/12201 https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/ https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html https://security.gentoo.org/glsa/202003-26 https://security.netapp.com/advisory/ntap-20190517-0001/ https://usn.ubuntu.com/4127-1/ https://usn.ubuntu.com/4127-2/ https://www.oracle.com/security-alerts/cpujan2020.html Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials cookies etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17 v2.7.17rc1 v2.7.18 v2.7.18rc1; v3.5.10 v3.5.10rc1 v3.5.7 v3.5.8 v3.5.8rc1 v3.5.8rc2 v3.5.9; v3.6.10 v3.6.10rc1 v3.6.11 v3.6.11rc1 v3.6.12 v3.6.9 v3.6.9rc1; v3.7.3 v3.7.3rc1 v3.7.4 v3.7.4rc1 v3.7.4rc2 v3.7.5 v3.7.5rc1 v3.7.6 v3.7.6rc1 v3.7.7 v3.7.7rc1 v3.7.8 v3.7.8rc1 v3.7.9.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: