CVE-2019-9636

Name of the Vulnerable Software and Affected Versions Python versions 2.7.x through 2.7.16 and 3.x through 3.7.2

Description The issue is related to improper handling of Unicode encoding during NFKC normalization, which can lead to information disclosure, including credentials and cookies cached against a given hostname. This can be exploited by a remote attacker using a specially crafted URL, which could be incorrectly parsed to locate and send sensitive data to a different host. The components affected include urllib.parse.urlsplit and urllib.parse.urlparse.

Recommendations For Python versions 2.7.x through 2.7.16, update to version 2.7.17 or later. For Python versions 3.x through 3.7.2, update to version 3.7.3 or later. As a temporary workaround, consider restricting the use of urllib.parse.urlsplit and urllib.parse.urlparse functions until a patch is applied.