ID CVE-2019-9636
Summary Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
References
Vulnerable Configurations
  • Python 2.7.0
    cpe:2.3:a:python:python:2.7.0
  • Python 2.7.1
    cpe:2.3:a:python:python:2.7.1
  • Python 2.7.1 Release Candiate 1
    cpe:2.3:a:python:python:2.7.1:rc1
  • Python 2.7.2
    cpe:2.3:a:python:python:2.7.2
  • Python 2.7.2 Release Candidate 1
    cpe:2.3:a:python:python:2.7.2:rc1
  • Python 2.7.3
    cpe:2.3:a:python:python:2.7.3
  • Python 2.7.4
    cpe:2.3:a:python:python:2.7.4
  • Python 2.7.5
    cpe:2.3:a:python:python:2.7.5
  • Python 2.7.6
    cpe:2.3:a:python:python:2.7.6
  • Python 2.7.7
    cpe:2.3:a:python:python:2.7.7
  • Python 2.7.8
    cpe:2.3:a:python:python:2.7.8
  • Python 2.7.9
    cpe:2.3:a:python:python:2.7.9
  • Python 2.7.10
    cpe:2.3:a:python:python:2.7.10
  • Python 2.7.11
    cpe:2.3:a:python:python:2.7.11
  • Python 2.7.12
    cpe:2.3:a:python:python:2.7.12
  • Python 2.7.13
    cpe:2.3:a:python:python:2.7.13
  • Python 2.7.14
    cpe:2.3:a:python:python:2.7.14
  • Python 2.7.15
    cpe:2.3:a:python:python:2.7.15
  • Python 2.7.16
    cpe:2.3:a:python:python:2.7.16
  • Python 2.7.16 Release Candidate 1
    cpe:2.3:a:python:python:2.7.16:rc1
  • Python 3.0.0
    cpe:2.3:a:python:python:3.0.0
  • Python 3.0.1
    cpe:2.3:a:python:python:3.0.1
  • Python 3.1
    cpe:2.3:a:python:python:3.1
  • Python 3.1.0
    cpe:2.3:a:python:python:3.1.0
  • Python 3.1.1
    cpe:2.3:a:python:python:3.1.1
  • Python 3.1.2
    cpe:2.3:a:python:python:3.1.2
  • Python 3.1.3
    cpe:2.3:a:python:python:3.1.3
  • Python 3.1.4
    cpe:2.3:a:python:python:3.1.4
  • Python 3.1.5
    cpe:2.3:a:python:python:3.1.5
  • Python 3.1.2150 (x64) 64-bit
    cpe:2.3:a:python:python:3.1.2150:-:-:-:-:-:x64
  • Python 3.2
    cpe:2.3:a:python:python:3.2
  • Python 3.2-alpha
    cpe:2.3:a:python:python:3.2:alpha
  • Python 3.2.0
    cpe:2.3:a:python:python:3.2.0
  • Python 3.2.1
    cpe:2.3:a:python:python:3.2.1
  • Python 3.2.2
    cpe:2.3:a:python:python:3.2.2
  • Python 3.2.3
    cpe:2.3:a:python:python:3.2.3
  • Python 3.2.4
    cpe:2.3:a:python:python:3.2.4
  • Python 3.2.5
    cpe:2.3:a:python:python:3.2.5
  • Python 3.2.6
    cpe:2.3:a:python:python:3.2.6
  • Python 3.2.2150
    cpe:2.3:a:python:python:3.2.2150
  • Python 3.3
    cpe:2.3:a:python:python:3.3
  • Python 3.3 beta 2
    cpe:2.3:a:python:python:3.3:beta2
  • Python 3.3.0
    cpe:2.3:a:python:python:3.3.0
  • Python 3.3.1
    cpe:2.3:a:python:python:3.3.1
  • Python 3.3.1 release candidate 1
    cpe:2.3:a:python:python:3.3.1:rc1
  • Python 3.3.2
    cpe:2.3:a:python:python:3.3.2
  • Python 3.3.3
    cpe:2.3:a:python:python:3.3.3
  • Python 3.3. release candidate 1
    cpe:2.3:a:python:python:3.3.3:rc1
  • Python 3.3.3 release candidate 2
    cpe:2.3:a:python:python:3.3.3:rc2
  • Python 3.3.4
    cpe:2.3:a:python:python:3.3.4
  • Python 3.3.4 release candidate 1
    cpe:2.3:a:python:python:3.3.4:rc1
  • Python 3.3.5
    cpe:2.3:a:python:python:3.3.5
  • Python 3.3.5
    cpe:2.3:a:python:python:3.3.5
  • Python 3.3.5 release candidate 1
    cpe:2.3:a:python:python:3.3.5:rc1
  • Python 3.3.5 release candidate 2
    cpe:2.3:a:python:python:3.3.5:rc2
  • Python 3.3.6
    cpe:2.3:a:python:python:3.3.6
  • Python 3.3.6 release candidate 1
    cpe:2.3:a:python:python:3.3.6:rc1
  • Python 3.3.7
    cpe:2.3:a:python:python:3.3.7
  • Python 3.4 alpha 1
    cpe:2.3:a:python:python:3.4:alpha1
  • Python 3.4.0
    cpe:2.3:a:python:python:3.4.0
  • Python 3.4.1
    cpe:2.3:a:python:python:3.4.1
  • Python 3.4.2
    cpe:2.3:a:python:python:3.4.2
  • Python 3.4.3
    cpe:2.3:a:python:python:3.4.3
  • Python 3.4.4
    cpe:2.3:a:python:python:3.4.4
  • Python 3.4.5
    cpe:2.3:a:python:python:3.4.5
  • Python 3.4.6
    cpe:2.3:a:python:python:3.4.6
  • Python 3.4.7
    cpe:2.3:a:python:python:3.4.7
  • Python 3.4.8
    cpe:2.3:a:python:python:3.4.8
  • Python 3.4.9
    cpe:2.3:a:python:python:3.4.9
  • Python 3.5
    cpe:2.3:a:python:python:3.5
  • Python 3.5.0
    cpe:2.3:a:python:python:3.5.0
  • Python 3.5.0
    cpe:2.3:a:python:python:3.5.0
  • Python 3.5.0 Alpha1
    cpe:2.3:a:python:python:3.5.0:alpha1
  • Python 3.5.0 Alpha2
    cpe:2.3:a:python:python:3.5.0:alpha2
  • Python 3.5.0 Alpha3
    cpe:2.3:a:python:python:3.5.0:alpha3
  • Python 3.5.0 Alpha4
    cpe:2.3:a:python:python:3.5.0:alpha4
  • Python 3.5.0 Beta1
    cpe:2.3:a:python:python:3.5.0:beta1
  • Python 3.5.0 Beta2
    cpe:2.3:a:python:python:3.5.0:beta2
  • Python 3.5.0 Beta3
    cpe:2.3:a:python:python:3.5.0:beta3
  • Python 3.5.0 Beta4
    cpe:2.3:a:python:python:3.5.0:beta4
  • Python 3.5.0 Release Candidate 1
    cpe:2.3:a:python:python:3.5.0:rc1
  • Python 3.5.0 Release Candidate 2
    cpe:2.3:a:python:python:3.5.0:rc2
  • Python 3.5.0 Release Candidate 3
    cpe:2.3:a:python:python:3.5.0:rc3
  • Python 3.5.0 Release Candidate 4
    cpe:2.3:a:python:python:3.5.0:rc4
  • Python 3.5.1
    cpe:2.3:a:python:python:3.5.1
  • Python 3.5.1
    cpe:2.3:a:python:python:3.5.1
  • Python 3.5.1 Release Candidate 1
    cpe:2.3:a:python:python:3.5.1:rc1
  • Python 3.5.2
    cpe:2.3:a:python:python:3.5.2
  • Python 3.5.2
    cpe:2.3:a:python:python:3.5.2
  • Python 3.5.2 Release Candidate 1
    cpe:2.3:a:python:python:3.5.2:rc1
  • Python 3.5.3
    cpe:2.3:a:python:python:3.5.3
  • Python 3.5.3
    cpe:2.3:a:python:python:3.5.3
  • Python 3.5.3 Release Candidate 1
    cpe:2.3:a:python:python:3.5.3:rc1
  • Python 3.5.4
    cpe:2.3:a:python:python:3.5.4
  • Python 3.5.4
    cpe:2.3:a:python:python:3.5.4
  • Python 3.5.4 Release Candidate 1
    cpe:2.3:a:python:python:3.5.4:rc1
  • Python 3.5.5
    cpe:2.3:a:python:python:3.5.5
  • Python 3.5.5
    cpe:2.3:a:python:python:3.5.5
  • Python 3.5.5 Release Candidate 1
    cpe:2.3:a:python:python:3.5.5:rc1
  • Python 3.5.6
    cpe:2.3:a:python:python:3.5.6
  • Python 3.6
    cpe:2.3:a:python:python:3.6
  • Python 3.6.0
    cpe:2.3:a:python:python:3.6.0
  • Python 3.6.0
    cpe:2.3:a:python:python:3.6.0
  • Python 3.6.0 Alpha1
    cpe:2.3:a:python:python:3.6.0:alpha1
  • Python 3.6.0 Alpha2
    cpe:2.3:a:python:python:3.6.0:alpha2
  • Python 3.6.0 Alpha3
    cpe:2.3:a:python:python:3.6.0:alpha3
  • Python 3.6.0 Alpha4
    cpe:2.3:a:python:python:3.6.0:alpha4
  • Python 3.6.0 Beta1
    cpe:2.3:a:python:python:3.6.0:beta1
  • Python 3.6.0 Beta2
    cpe:2.3:a:python:python:3.6.0:beta2
  • Python 3.6.0 Beta3
    cpe:2.3:a:python:python:3.6.0:beta3
  • Python 3.6.0 Beta4
    cpe:2.3:a:python:python:3.6.0:beta4
  • Python 3.6.0 Release Candidate 1
    cpe:2.3:a:python:python:3.6.0:rc1
  • Python 3.6.0 Release Candidate 2
    cpe:2.3:a:python:python:3.6.0:rc2
  • Python 3.6.1
    cpe:2.3:a:python:python:3.6.1
  • Python 3.6.1
    cpe:2.3:a:python:python:3.6.1
  • Python 3.6.1 Release Candidate 1
    cpe:2.3:a:python:python:3.6.1:rc1
  • Python 3.6.2
    cpe:2.3:a:python:python:3.6.2
  • Python 3.6.2
    cpe:2.3:a:python:python:3.6.2
  • Python 3.6.2 Release Candidate 1
    cpe:2.3:a:python:python:3.6.2:rc1
  • Python 3.6.2 Release Candidate 2
    cpe:2.3:a:python:python:3.6.2:rc2
  • Python 3.6.3
    cpe:2.3:a:python:python:3.6.3
  • Python 3.6.3
    cpe:2.3:a:python:python:3.6.3
  • Python 3.6.3 Release Candidate 1
    cpe:2.3:a:python:python:3.6.3:rc1
  • Python 3.6.4
    cpe:2.3:a:python:python:3.6.4
  • Python 3.6.4
    cpe:2.3:a:python:python:3.6.4
  • Python 3.6.4 Release Candidate 1
    cpe:2.3:a:python:python:3.6.4:rc1
  • Python 3.6.5
    cpe:2.3:a:python:python:3.6.5
  • Python 3.6.5
    cpe:2.3:a:python:python:3.6.5
  • Python 3.6.5 Release Candidate 1
    cpe:2.3:a:python:python:3.6.5:rc1
  • Python 3.6.6
    cpe:2.3:a:python:python:3.6.6
  • Python 3.6.6
    cpe:2.3:a:python:python:3.6.6
  • Python 3.6.6 Release Candidate 1
    cpe:2.3:a:python:python:3.6.6:rc1
  • Python 3.6.7
    cpe:2.3:a:python:python:3.6.7
  • Python 3.7 Beta
    cpe:2.3:a:python:python:3.7:beta
  • Python 3.7.0
    cpe:2.3:a:python:python:3.7.0
  • Python 3.7.0
    cpe:2.3:a:python:python:3.7.0
  • Python 3.7.0 Alpha1
    cpe:2.3:a:python:python:3.7.0:alpha1
  • Python 3.7.0 Alpha2
    cpe:2.3:a:python:python:3.7.0:alpha2
  • Python 3.7.0 Alpha3
    cpe:2.3:a:python:python:3.7.0:alpha3
  • Python 3.7.0 Alpha4
    cpe:2.3:a:python:python:3.7.0:alpha4
  • Python 3.7.0 Beta1
    cpe:2.3:a:python:python:3.7.0:beta1
  • Python 3.7.0 Beta2
    cpe:2.3:a:python:python:3.7.0:beta2
  • Python 3.7.0 Beta3
    cpe:2.3:a:python:python:3.7.0:beta3
  • Python 3.7.0 Beta4
    cpe:2.3:a:python:python:3.7.0:beta4
  • Python 3.7.0 Beta5
    cpe:2.3:a:python:python:3.7.0:beta5
  • Python 3.7.0 Release Candidate 1
    cpe:2.3:a:python:python:3.7.0:rc1
  • Python 3.7.1
    cpe:2.3:a:python:python:3.7.1
  • Python 3.7.1
    cpe:2.3:a:python:python:3.7.1
  • Python 3.7.1 Release Candidate 1
    cpe:2.3:a:python:python:3.7.1:rc1
  • Python 3.7.1 Release Candidate 2
    cpe:2.3:a:python:python:3.7.1:rc2
  • Python 3.7.2
    cpe:2.3:a:python:python:3.7.2
  • Python 3.7.2
    cpe:2.3:a:python:python:3.7.2
  • Python 3.7.2 Release Candidate 1
    cpe:2.3:a:python:python:3.7.2:rc1
  • Fedora 28
    cpe:2.3:o:fedoraproject:fedora:28
  • Fedora 29
    cpe:2.3:o:fedoraproject:fedora:29
  • Fedora 30
    cpe:2.3:o:fedoraproject:fedora:30
  • Red Hat Enterprise Linux 6.5
    cpe:2.3:o:redhat:enterprise_linux:6.5
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
  • Red Hat Enterprise Linux 7.4
    cpe:2.3:o:redhat:enterprise_linux:7.4
  • Red Hat Enterprise Linux 7.5
    cpe:2.3:o:redhat:enterprise_linux:7.5
  • Red Hat Enterprise Linux 7.6
    cpe:2.3:o:redhat:enterprise_linux:7.6
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
  • Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • openSUSE Leap 15.0
    cpe:2.3:o:opensuse:leap:15.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-255
CAPEC
redhat via4
advisories
  • bugzilla
    id 1688543
    title CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment python is earlier than 0:2.7.5-77.el7_6
          oval oval:com.redhat.rhsa:tst:20190710005
        • comment python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554008
      • AND
        • comment python-debug is earlier than 0:2.7.5-77.el7_6
          oval oval:com.redhat.rhsa:tst:20190710015
        • comment python-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152101016
      • AND
        • comment python-devel is earlier than 0:2.7.5-77.el7_6
          oval oval:com.redhat.rhsa:tst:20190710011
        • comment python-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554010
      • AND
        • comment python-libs is earlier than 0:2.7.5-77.el7_6
          oval oval:com.redhat.rhsa:tst:20190710017
        • comment python-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554014
      • AND
        • comment python-test is earlier than 0:2.7.5-77.el7_6
          oval oval:com.redhat.rhsa:tst:20190710007
        • comment python-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554016
      • AND
        • comment python-tools is earlier than 0:2.7.5-77.el7_6
          oval oval:com.redhat.rhsa:tst:20190710009
        • comment python-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554012
      • AND
        • comment tkinter is earlier than 0:2.7.5-77.el7_6
          oval oval:com.redhat.rhsa:tst:20190710013
        • comment tkinter is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554018
    rhsa
    id RHSA-2019:0710
    released 2019-04-08
    severity Important
    title RHSA-2019:0710: python security update (Important)
  • rhsa
    id RHBA-2019:0959
  • rhsa
    id RHSA-2019:0765
  • rhsa
    id RHSA-2019:0806
  • rhsa
    id RHSA-2019:0902
  • rhsa
    id RHSA-2019:0981
  • rhsa
    id RHSA-2019:0997
rpms
  • python-0:2.7.5-77.el7_6
  • python-debug-0:2.7.5-77.el7_6
  • python-devel-0:2.7.5-77.el7_6
  • python-libs-0:2.7.5-77.el7_6
  • python-test-0:2.7.5-77.el7_6
  • python-tools-0:2.7.5-77.el7_6
  • tkinter-0:2.7.5-77.el7_6
refmap via4
bid 107400
confirm https://security.netapp.com/advisory/ntap-20190517-0001/
fedora
  • FEDORA-2019-1ffd6b6064
  • FEDORA-2019-243442e600
  • FEDORA-2019-51f1e08207
  • FEDORA-2019-6b02154aa0
  • FEDORA-2019-6baeb15da3
  • FEDORA-2019-6e1938a3c5
  • FEDORA-2019-7d9f3cf3ce
  • FEDORA-2019-86f32cbab1
  • FEDORA-2019-a122fe704d
  • FEDORA-2019-cf725dd20b
  • FEDORA-2019-ec26883852
misc
suse
  • openSUSE-SU-2019:1273
  • openSUSE-SU-2019:1282
  • openSUSE-SU-2019:1371
Last major update 08-03-2019 - 16:29
Published 08-03-2019 - 16:29
Last modified 13-06-2019 - 12:29
Back to Top