{"containers":{"cna":{"affected":[{"product":"python","vendor":"Python","versions":[{"status":"affected","version":"affects 2.7, 3.5, 3.6, 3.7, >= v3.8.0a4 and < v3.8.0b1"}]}],"descriptions":[{"lang":"en","value":"A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application."}],"metrics":[{"cvssV3_0":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-172","description":"CWE-172","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2020-08-22T16:06:12.000Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["x_refsource_MISC"],"url":"https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09"},{"tags":["x_refsource_CONFIRM"],"url":"https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468"},{"tags":["x_refsource_CONFIRM"],"url":"https://security.netapp.com/advisory/ntap-20190617-0003/"},{"name":"RHSA-2019:1587","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2019:1587"},{"name":"[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"},{"name":"RHSA-2019:1700","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2019:1700"},{"name":"FEDORA-2019-7723d4774a","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/"},{"name":"FEDORA-2019-7df59302e0","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/"},{"name":"FEDORA-2019-9bfb4a3e4b","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/"},{"name":"FEDORA-2019-60a1defcd1","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/"},{"name":"RHSA-2019:2437","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2019:2437"},{"name":"openSUSE-SU-2019:1906","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html"},{"name":"USN-4127-2","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4127-2/"},{"name":"USN-4127-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4127-1/"},{"name":"FEDORA-2019-50772cf122","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/"},{"name":"FEDORA-2019-5dc275c9f2","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/"},{"name":"FEDORA-2019-2b1f72899a","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/"},{"name":"FEDORA-2019-b06ec6159b","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"},{"name":"FEDORA-2019-d202cda4f8","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"},{"name":"FEDORA-2019-57462fa10d","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"},{"name":"openSUSE-SU-2020:0086","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"},{"name":"[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"},{"name":"[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"},{"name":"[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T22:10:10.028Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20190617-0003/"},{"name":"RHSA-2019:1587","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2019:1587"},{"name":"[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"},{"name":"RHSA-2019:1700","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2019:1700"},{"name":"FEDORA-2019-7723d4774a","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/"},{"name":"FEDORA-2019-7df59302e0","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/"},{"name":"FEDORA-2019-9bfb4a3e4b","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/"},{"name":"FEDORA-2019-60a1defcd1","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/"},{"name":"RHSA-2019:2437","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2019:2437"},{"name":"openSUSE-SU-2019:1906","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html"},{"name":"USN-4127-2","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4127-2/"},{"name":"USN-4127-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4127-1/"},{"name":"FEDORA-2019-50772cf122","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/"},{"name":"FEDORA-2019-5dc275c9f2","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/"},{"name":"FEDORA-2019-2b1f72899a","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/"},{"name":"FEDORA-2019-b06ec6159b","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"},{"name":"FEDORA-2019-d202cda4f8","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"},{"name":"FEDORA-2019-57462fa10d","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"},{"name":"openSUSE-SU-2020:0086","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"},{"name":"[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"},{"name":"[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"},{"name":"[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"}]}]},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2019-10160","datePublished":"2019-06-07T17:50:33.000Z","dateReserved":"2019-03-27T00:00:00.000Z","dateUpdated":"2024-08-04T22:10:10.028Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}