PT-2019-4598 · Python+8 · Python+8
Published
2019-03-06
·
Updated
2024-07-11
·
CVE-2019-9636
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Python versions 2.7.x through 2.7.16 and 3.x through 3.7.2
Description
The issue is related to improper handling of Unicode encoding during NFKC normalization, which can lead to information disclosure, including credentials and cookies cached against a given hostname. This can be exploited by a remote attacker using a specially crafted URL, which could be incorrectly parsed to locate and send sensitive data to a different host. The components affected include urllib.parse.urlsplit and urllib.parse.urlparse.
Recommendations
For Python versions 2.7.x through 2.7.16, update to version 2.7.17 or later.
For Python versions 3.x through 3.7.2, update to version 3.7.3 or later.
As a temporary workaround, consider restricting the use of urllib.parse.urlsplit and urllib.parse.urlparse functions until a patch is applied.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Linuxmint
Python
Red Hat
Rocky Linux
Suse
Ubuntu