Vulnerability CVE-2019-9636: Information

Description

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: March 9, 2019
Modified: Nov. 7, 2023

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
pythonsisyphus2.7.17-alt12.7.18-alt11ALT-PU-2019-3103-1240064Fixed
pythonp102.7.17-alt12.7.18-alt10ALT-PU-2019-3103-1240064Fixed
pythonc10f12.7.17-alt12.7.18-alt10ALT-PU-2019-3103-1240064Fixed
pythonc9f22.7.18-alt0.M90P.12.7.18-alt0.MC9.1ALT-PU-2020-3318-1261853Fixed
python3sisyphus3.7.3-alt13.12.2-alt1ALT-PU-2019-1685-1225625Fixed
python3p103.7.3-alt13.9.18-alt1ALT-PU-2019-1685-1225625Fixed
python3p93.7.3-alt13.7.17-alt1ALT-PU-2019-1685-1225625Fixed
python3c10f13.7.3-alt13.9.16-alt1ALT-PU-2019-1685-1225625Fixed
python3c9f23.7.3-alt13.7.17-alt1ALT-PU-2019-1685-1225625Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
  • Patch
  • Third Party Advisory
https://github.com/python/cpython/pull/12201
  • Patch
  • Third Party Advisory
https://bugs.python.org/issue36216
  • Issue Tracking
  • Patch
  • Vendor Advisory
107400
  • Third Party Advisory
  • VDB Entry
RHSA-2019:0710
  • Third Party Advisory
RHSA-2019:0765
  • Third Party Advisory
RHSA-2019:0806
  • Third Party Advisory
openSUSE-SU-2019:1273
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2019:1282
  • Mailing List
  • Third Party Advisory
RHSA-2019:0902
  • Third Party Advisory
RHSA-2019:0997
  • Third Party Advisory
RHSA-2019:0981
  • Third Party Advisory
RHBA-2019:0959
  • Third Party Advisory
openSUSE-SU-2019:1371
  • Mailing List
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20190517-0001/
  • Third Party Advisory
RHSA-2019:1467
  • Third Party Advisory
openSUSE-SU-2019:1580
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update
  • Mailing List
  • Third Party Advisory
RHBA-2019:0763
  • Third Party Advisory
RHBA-2019:0764
  • Third Party Advisory
openSUSE-SU-2019:1906
  • Mailing List
  • Third Party Advisory
USN-4127-2
  • Third Party Advisory
USN-4127-1
  • Third Party Advisory
RHSA-2019:2980
  • Third Party Advisory
RHSA-2019:3170
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html
  • Third Party Advisory
openSUSE-SU-2020:0086
  • Mailing List
  • Third Party Advisory
GLSA-202003-26
  • Third Party Advisory
[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update
  • Mailing List
  • Third Party Advisory
N/A
    FEDORA-2019-243442e600
      FEDORA-2019-6e1938a3c5
        FEDORA-2019-6baeb15da3
          FEDORA-2019-cf725dd20b
            FEDORA-2019-6b02154aa0
              FEDORA-2019-7d9f3cf3ce
                FEDORA-2019-51f1e08207
                  FEDORA-2019-a122fe704d
                    FEDORA-2019-86f32cbab1
                      FEDORA-2019-1ffd6b6064
                        FEDORA-2019-ec26883852
                          FEDORA-2019-7723d4774a
                            FEDORA-2019-7df59302e0
                              FEDORA-2019-9bfb4a3e4b
                                FEDORA-2019-60a1defcd1
                                  FEDORA-2019-5dc275c9f2
                                    FEDORA-2019-2b1f72899a
                                      FEDORA-2019-b06ec6159b
                                        FEDORA-2019-d202cda4f8
                                          FEDORA-2019-57462fa10d
                                              1. Configuration 1

                                                cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                                Start including
                                                3.7.0
                                                End excliding
                                                3.7.3

                                                cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                                Start including
                                                3.6.0
                                                End excliding
                                                3.6.9

                                                cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                                Start including
                                                3.5.0
                                                End excliding
                                                3.5.7

                                                cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                                Start including
                                                3.0.0
                                                End excliding
                                                3.4.10

                                                cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
                                                Start including
                                                2.7.0
                                                End excliding
                                                2.7.17

                                                Configuration 2

                                                cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*

                                                cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

                                                cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

                                                cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

                                                Configuration 3

                                                cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

                                                cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

                                                cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

                                                Configuration 4

                                                cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

                                                cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

                                                Configuration 5

                                                cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

                                                cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

                                                cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

                                                cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

                                                cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*

                                                Configuration 6

                                                cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*

                                                cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_eus:5.6:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*

                                                cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*

                                                Configuration 7

                                                cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*

                                                Running on/with:
                                                cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

                                                Configuration 8

                                                cpe:2.3:a:oracle:sun_zfs_storage_appliance_kit:8.8.6:*:*:*:*:*:*:*