PT-2019-2028 · Python+8 · Python+8
Sihoon Lee
·
Published
2019-03-23
·
Updated
2024-07-11
·
CVE-2019-9948
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Python versions 2.x through 2.7.16
Description
The issue is related to the urllib module in Python, which supports the local file: scheme. This makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs. An example of exploitation is triggering a
urllib.urlopen('local file:///etc/passwd') call, allowing attackers to access confidential data and compromise its integrity. The vulnerability is associated with errors in input data verification.Recommendations
For versions 2.x through 2.7.16, consider disabling the use of the local file: scheme in the urllib module as a temporary workaround until a patch is available. Restrict access to sensitive files and data to minimize the risk of exploitation. Avoid using the
urllib.urlopen() function with unverified input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Linuxmint
Python
Red Hat
Rocky Linux
Suse
Ubuntu