Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-9636

Disclosure Date: March 08, 2019
CVE-2019-9636 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • canonical,
  • debian,
  • fedoraproject,
  • opensuse,
  • oracle,
  • python,
  • redhat

Products

  • debian linux 8.0,
  • debian linux 9.0,
  • enterprise linux 7.5,
  • enterprise linux 8.0,
  • enterprise linux desktop 6.0,
  • enterprise linux eus 7.5,
  • enterprise linux eus 8.1,
  • enterprise linux eus 8.2,
  • enterprise linux eus 8.4,
  • enterprise linux eus 8.6,
  • enterprise linux server 6.0,
  • enterprise linux server aus 7.4,
  • enterprise linux server aus 8.2,
  • enterprise linux server aus 8.4,
  • enterprise linux server eus 5.6,
  • enterprise linux server tus 7.4,
  • enterprise linux server tus 8.2,
  • enterprise linux server tus 8.4,
  • enterprise linux server tus 8.6,
  • enterprise linux workstation 6.0,
  • fedora 28,
  • fedora 29,
  • fedora 30,
  • fedora 31,
  • leap 15.0,
  • leap 15.1,
  • leap 42.3,
  • openshift container platform 3.11,
  • python,
  • sun zfs storage appliance kit 8.8.6,
  • ubuntu linux 12.04,
  • ubuntu linux 14.04,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 19.04,
  • virtualization 4.0

References

Canonical
CVE-2019-9636 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636)
BID-107400 (http://www.securityfocus.com/bid/107400)
Advisory
FEDORA-2019-243442e600 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM)
FEDORA-2019-6e1938a3c5 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB)
FEDORA-2019-6baeb15da3 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7)
FEDORA-2019-cf725dd20b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ)
FEDORA-2019-6b02154aa0 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW)
FEDORA-2019-7d9f3cf3ce (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3)
FEDORA-2019-51f1e08207 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK)
FEDORA-2019-a122fe704d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME)
FEDORA-2019-86f32cbab1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I)
https://access.redhat.com/errata/RHSA-2019:0710
https://access.redhat.com/errata/RHSA-2019:0765
https://access.redhat.com/errata/RHSA-2019:0806
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html
https://access.redhat.com/errata/RHSA-2019:0902
https://access.redhat.com/errata/RHSA-2019:0981
https://access.redhat.com/errata/RHSA-2019:0997
https://access.redhat.com/errata/RHBA-2019:0959
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html
FEDORA-2019-1ffd6b6064 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4)
https://security.netapp.com/advisory/ntap-20190517-0001
FEDORA-2019-ec26883852 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK)
https://access.redhat.com/errata/RHSA-2019:1467
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html
[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update (https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html)
[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update (https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html)
https://access.redhat.com/errata/RHBA-2019:0764
https://access.redhat.com/errata/RHBA-2019:0763
FEDORA-2019-7723d4774a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU)
FEDORA-2019-7df59302e0 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL)
FEDORA-2019-9bfb4a3e4b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES)
FEDORA-2019-60a1defcd1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L)
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html
USN-4127-2 (https://usn.ubuntu.com/4127-2)
USN-4127-1 (https://usn.ubuntu.com/4127-1)
FEDORA-2019-5dc275c9f2 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ)
FEDORA-2019-2b1f72899a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY)
https://access.redhat.com/errata/RHSA-2019:2980
https://access.redhat.com/errata/RHSA-2019:3170
FEDORA-2019-b06ec6159b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX)
FEDORA-2019-d202cda4f8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V)
FEDORA-2019-57462fa10d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR)
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
GLSA-202003-26 (https://security.gentoo.org/glsa/202003-26)
[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update (https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html)
[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update (https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html)
FEDORA-2019-243442e600 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/)
FEDORA-2019-6e1938a3c5 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/)
FEDORA-2019-6baeb15da3 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/)
FEDORA-2019-cf725dd20b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/)
FEDORA-2019-6b02154aa0 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/)
FEDORA-2019-7d9f3cf3ce (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/)
FEDORA-2019-51f1e08207 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/)
FEDORA-2019-a122fe704d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/)
FEDORA-2019-86f32cbab1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/)
FEDORA-2019-1ffd6b6064 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/)
https://security.netapp.com/advisory/ntap-20190517-0001/
FEDORA-2019-ec26883852 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/)
FEDORA-2019-7723d4774a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/)
FEDORA-2019-7df59302e0 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/)
FEDORA-2019-9bfb4a3e4b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/)
FEDORA-2019-60a1defcd1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/)
USN-4127-2 (https://usn.ubuntu.com/4127-2/)
USN-4127-1 (https://usn.ubuntu.com/4127-1/)
FEDORA-2019-5dc275c9f2 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/)
FEDORA-2019-2b1f72899a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/)
FEDORA-2019-b06ec6159b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/)
FEDORA-2019-d202cda4f8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/)
FEDORA-2019-57462fa10d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/)
Miscellaneous
https://github.com/python/cpython/pull/12201
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
https://bugs.python.org/issue36216
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis