{ "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2019-10160", "ASSIGNER": "secalert@redhat.com", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Python", "product": { "product_data": [ { "product_name": "python", "version": { "version_data": [ { "version_value": "affects 2.7, 3.5, 3.6, 3.7, >= v3.8.0a4 and < v3.8.0b1" } ] } } ] } } ] } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-172" } ] } ] }, "references": { "reference_data": [ { "url": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", "refsource": "MISC", "name": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", "refsource": "CONFIRM" }, { "url": "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", "name": "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", "refsource": "CONFIRM" }, { "url": "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", "name": "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", "refsource": "CONFIRM" }, { "url": "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", "name": "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", "refsource": "CONFIRM" }, { "url": "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", "name": "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", "refsource": "CONFIRM" }, { "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20190617-0003/", "url": "https://security.netapp.com/advisory/ntap-20190617-0003/" }, { "refsource": "REDHAT", "name": "RHSA-2019:1587", "url": "https://access.redhat.com/errata/RHSA-2019:1587" }, { "refsource": "MLIST", "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html" }, { "refsource": "REDHAT", "name": "RHSA-2019:1700", "url": "https://access.redhat.com/errata/RHSA-2019:1700" }, { "refsource": "FEDORA", "name": "FEDORA-2019-7723d4774a", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-7df59302e0", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-9bfb4a3e4b", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-60a1defcd1", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/" }, { "refsource": "REDHAT", "name": "RHSA-2019:2437", "url": "https://access.redhat.com/errata/RHSA-2019:2437" }, { "refsource": "SUSE", "name": "openSUSE-SU-2019:1906", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html" }, { "refsource": "UBUNTU", "name": "USN-4127-2", "url": "https://usn.ubuntu.com/4127-2/" }, { "refsource": "UBUNTU", "name": "USN-4127-1", "url": "https://usn.ubuntu.com/4127-1/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-50772cf122", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-5dc275c9f2", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-2b1f72899a", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-b06ec6159b", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-d202cda4f8", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/" }, { "refsource": "FEDORA", "name": "FEDORA-2019-57462fa10d", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/" } ] }, "description": { "description_data": [ { "lang": "eng", "value": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application." } ] }, "impact": { "cvss": [ [ { "vectorString": "9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ] ] } }