ID CVE-2019-10160
Summary A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
References
Vulnerable Configurations
  • cpe:2.3:a:python:python:3.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.7:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:python:python:3.8.0b1:*:*:*:*:*:*:*
    cpe:2.3:a:python:python:3.8.0b1:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 06-01-2021 - 16:11)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1718388
    title CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment python is earlier than 0:2.7.5-80.el7_6
            oval oval:com.redhat.rhsa:tst:20191587001
          • comment python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554004
        • AND
          • comment python-debug is earlier than 0:2.7.5-80.el7_6
            oval oval:com.redhat.rhsa:tst:20191587003
          • comment python-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152101004
        • AND
          • comment python-devel is earlier than 0:2.7.5-80.el7_6
            oval oval:com.redhat.rhsa:tst:20191587005
          • comment python-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554006
        • AND
          • comment python-libs is earlier than 0:2.7.5-80.el7_6
            oval oval:com.redhat.rhsa:tst:20191587007
          • comment python-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554008
        • AND
          • comment python-test is earlier than 0:2.7.5-80.el7_6
            oval oval:com.redhat.rhsa:tst:20191587009
          • comment python-test is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554010
        • AND
          • comment python-tools is earlier than 0:2.7.5-80.el7_6
            oval oval:com.redhat.rhsa:tst:20191587011
          • comment python-tools is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554012
        • AND
          • comment tkinter is earlier than 0:2.7.5-80.el7_6
            oval oval:com.redhat.rhsa:tst:20191587013
          • comment tkinter is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110554014
    rhsa
    id RHSA-2019:1587
    released 2019-06-20
    severity Important
    title RHSA-2019:1587: python security update (Important)
  • rhsa
    id RHSA-2019:1700
  • rhsa
    id RHSA-2019:2437
rpms
  • python-0:2.7.5-80.el7_6
  • python-debug-0:2.7.5-80.el7_6
  • python-debuginfo-0:2.7.5-80.el7_6
  • python-devel-0:2.7.5-80.el7_6
  • python-libs-0:2.7.5-80.el7_6
  • python-test-0:2.7.5-80.el7_6
  • python-tools-0:2.7.5-80.el7_6
  • tkinter-0:2.7.5-80.el7_6
  • python27-python-0:2.7.16-6.el6
  • python27-python-0:2.7.16-6.el7
  • python27-python-debug-0:2.7.16-6.el6
  • python27-python-debug-0:2.7.16-6.el7
  • python27-python-debuginfo-0:2.7.16-6.el6
  • python27-python-debuginfo-0:2.7.16-6.el7
  • python27-python-devel-0:2.7.16-6.el6
  • python27-python-devel-0:2.7.16-6.el7
  • python27-python-libs-0:2.7.16-6.el6
  • python27-python-libs-0:2.7.16-6.el7
  • python27-python-test-0:2.7.16-6.el6
  • python27-python-test-0:2.7.16-6.el7
  • python27-python-tools-0:2.7.16-6.el6
  • python27-python-tools-0:2.7.16-6.el7
  • python27-tkinter-0:2.7.16-6.el6
  • python27-tkinter-0:2.7.16-6.el7
  • imgbased-0:1.1.9-0.1.el7ev
  • ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev
  • python-imgbased-0:1.1.9-0.1.el7ev
  • python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev
  • redhat-release-virtualization-host-0:4.3.5-2.el7ev
  • redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7
  • redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev
refmap via4
confirm
fedora
  • FEDORA-2019-2b1f72899a
  • FEDORA-2019-50772cf122
  • FEDORA-2019-57462fa10d
  • FEDORA-2019-5dc275c9f2
  • FEDORA-2019-60a1defcd1
  • FEDORA-2019-7723d4774a
  • FEDORA-2019-7df59302e0
  • FEDORA-2019-9bfb4a3e4b
  • FEDORA-2019-b06ec6159b
  • FEDORA-2019-d202cda4f8
misc https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html
mlist
  • [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image
  • [debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update
  • [debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update
  • [debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update
suse
  • openSUSE-SU-2019:1906
  • openSUSE-SU-2020:0086
ubuntu
  • USN-4127-1
  • USN-4127-2
Last major update 06-01-2021 - 16:11
Published 07-06-2019 - 18:29
Last modified 06-01-2021 - 16:11
Back to Top