Vulnerability Description
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | >= 2.7.0, < 2.7.17 |
| Fedoraproject | Fedora | 28 |
| Opensuse | Leap | 15.0 |
| Debian | Debian Linux | 8.0 |
| Canonical | Ubuntu Linux | 12.04 |
| Redhat | Openshift Container Platform | 3.11 |
| Redhat | Enterprise Linux | 7.5 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Eus | 7.5 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server Aus | 7.4 |
| Redhat | Enterprise Linux Server Eus | 5.6 |
| Redhat | Enterprise Linux Server Tus | 7.4 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Redhat | Virtualization | 4.0 |
| Oracle | Sun Zfs Storage Appliance Kit | 8.8.6 |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlMailing ListThird Party Advisory
- http://www.securityfocus.com/bid/107400Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHBA-2019:0763Third Party Advisory
- https://access.redhat.com/errata/RHBA-2019:0764Third Party Advisory
- https://access.redhat.com/errata/RHBA-2019:0959Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0710Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0765Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0806Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0902Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0981Third Party Advisory
FAQ
What is CVE-2019-9636?
CVE-2019-9636 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (cre...
How severe is CVE-2019-9636?
CVE-2019-9636 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-9636?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Fedoraproject Fedora, Opensuse Leap, Debian Debian Linux, Canonical Ubuntu Linux.