Security Vulnerabilities affect IBM Cloud Private Cloud Foundry - Python (CVE-2019-9947, CVE-2019-9948)
CVEID:CVE-2019-9948
**DESCRIPTION:**urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blocklist file: URIs, as demonstrated by triggering a urllib.urlopen(‘local_file:///etc/passwd’) call.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158831 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2019-9947
**DESCRIPTION:**An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud Private | 3.2.1 CD |
IBM Cloud Private | 3.2.0 CD |
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
For IBM Cloud Private - Cloud Foundry 3.2.0, apply fix pack:
For IBM Cloud Private - Cloud Foundry 3.2.1, apply fix pack:
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud private | eq | any |