Lucene search

K
archlinuxArchLinuxASA-201911-4
HistoryNov 03, 2019 - 12:00 a.m.

[ASA-201911-4] python2: information disclosure

2019-11-0300:00:00
security.archlinux.org
36

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.01

Percentile

83.9%

Arch Linux Security Advisory ASA-201911-4

Severity: High
Date : 2019-11-03
CVE-ID : CVE-2019-9636
Package : python2
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-978

Summary

The package python2 before version 2.7.17-1 is vulnerable to
information disclosure.

Resolution

Upgrade to 2.7.17-1.

pacman -Syu “python2>=2.7.17-1”

The problem has been fixed upstream in version 2.7.17.

Workaround

None.

Description

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by
improper Handling of Unicode Encoding (with an incorrect netloc) during
NFKC normalization. A specially crafted URL could be incorrectly parsed
by urllib.parse.urlsplit and urllib.parse.urlparse to locate cookies or
authentication data and send that information to a different host than
when parsed correctly.

Impact

A remote attacker is able to craft a malicious URL and transfer private
data to a different host than expected.

References

https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
https://security.archlinux.org/CVE-2019-9636

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanypython2< 2.7.17-1UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.01

Percentile

83.9%