Impact: Important Public Date: 2019-03-06 CWE: CWE-200 Bugzilla: 1688543: CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-9636 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 7.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | None |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | python | Under investigation |
Red Hat Software Collections for Red Hat Enterprise Linux | rh-python35-python | Under investigation |
Red Hat Software Collections for Red Hat Enterprise Linux | python27-python | Under investigation |
Red Hat Software Collections for Red Hat Enterprise Linux | rh-python36-python | Under investigation |
Red Hat Enterprise Linux 7 | python | Under investigation |
Red Hat Enterprise Linux 6 | python | Not affected |
Red Hat Enterprise Linux 5 | python | Not affected |