Follow up of the urllib NFKC normalization vulnerability: the fix ignored the user/password before @ whereas it still allowed to exploit the vulnerability.
The second fix no longer ignores the part before @.
Dates:
Disclosure date: 2019-04-27 (Python issue bpo-36742 reported)
Reported at: 2019-06-03 (email to PSRT)
Reported by: Riccardo Schirone (Red Hat)
Python 2.7.17 (2019-10-19) fixed by commit f61599b (branch 2.7) (2019-06-04)
Python 3.5.8 (2019-10-29) fixed by commit 4655d57 (branch 3.5) (2019-07-14)
Python 3.6.9 (2019-07-02) fixed by commit fd1771d (branch 3.6) (2019-06-04)
Python 3.7.4 (2019-07-08) fixed by commit 250b62a (branch 3.7) (2019-06-04)
Python 3.8.0 (2019-10-14) fixed by commit 8d0ef0b (branch 3.8) (2019-06-04)
CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@.
Python issue: bpo-36742
Creation date: 2019-04-27
Reporter: Chihiro Ito
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
CVE ID: CVE-2019-10160
Published: 2019-06-07
CVSS Score: 5.0
Timeline using the disclosure date 2019-04-27 as reference:
2019-04-27: Python issue bpo-36742 reported by Chihiro Ito
2019-06-03 (+37 days): Reported (email to PSRT)
2019-06-04 (+38 days): commit 250b62a (branch 3.7)
2019-06-04 (+38 days): commit 8d0ef0b (branch 3.8)
2019-06-04 (+38 days): commit f61599b (branch 2.7)
2019-06-04 (+38 days): commit fd1771d (branch 3.6)
2019-06-07 (+41 days): CVE-2019-10160 published
2019-07-02 (+66 days): Python 3.6.9 released
2019-07-08 (+72 days): Python 3.7.4 released
2019-07-14 (+78 days): commit 4655d57 (branch 3.5)
2019-10-14: Python 3.8.0 released
2019-10-19 (+175 days): Python 2.7.17 released
2019-10-29 (+185 days): Python 3.5.8 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4