Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2019-1243

Related Vulnerabilities: CVE-2019-9636   CVE-2019-9740   CVE-2019-9947  

An issue was discovered in urllib2 in Python 2.x and urllib in Python 3.x. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. (CVE-2019-9740, CVE-2019-9947) Python 2.7.x and 3.x are affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. (CVE-2019-9636)

Source

ALAS-2019-1243

Amazon Linux AMI Security Advisory: ALAS-2019-1243
Advisory Release Date: 2019-07-17 23:51 Pacific
Advisory Updated Date: 2019-07-25 18:45 Pacific
Severity: Medium
Issue Overview:

An issue was discovered in urllib2 in Python 2.x and urllib in Python 3.x. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. (CVE-2019-9740, CVE-2019-9947)

Python 2.7.x and 3.x are affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. (CVE-2019-9636)


Affected Packages:

python35


Issue Correction:
Run yum update python35 to update your system.

New Packages:
i686:
    python35-3.5.7-1.22.amzn1.i686
    python35-libs-3.5.7-1.22.amzn1.i686
    python35-devel-3.5.7-1.22.amzn1.i686
    python35-test-3.5.7-1.22.amzn1.i686
    python35-tools-3.5.7-1.22.amzn1.i686
    python35-debuginfo-3.5.7-1.22.amzn1.i686

src:
    python35-3.5.7-1.22.amzn1.src

x86_64:
    python35-test-3.5.7-1.22.amzn1.x86_64
    python35-debuginfo-3.5.7-1.22.amzn1.x86_64
    python35-3.5.7-1.22.amzn1.x86_64
    python35-libs-3.5.7-1.22.amzn1.x86_64
    python35-tools-3.5.7-1.22.amzn1.x86_64
    python35-devel-3.5.7-1.22.amzn1.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started