First published: Sat Oct 12 2019(Updated: )
library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
=3.6.0 | ||
=3.7.0 | ||
=3.8.0 | ||
Python Python | =3.6.0 | |
Python Python | =3.7.0 | |
Python Python | =3.8.0 | |
ubuntu/python2.7 | <2.7.17-1~18.04ubuntu1.1 | 2.7.17-1~18.04ubuntu1.1 |
ubuntu/python2.7 | <2.7.18-1~20.04.1 | 2.7.18-1~20.04.1 |
ubuntu/python2.7 | <2.7.6-8ubuntu0.6+ | 2.7.6-8ubuntu0.6+ |
ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.12 | 2.7.12-1ubuntu0~16.04.12 |
ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.11 | 3.5.2-2ubuntu0~16.04.11 |
ubuntu/python3.6 | <3.6.9-1~18.04ubuntu1.1 | 3.6.9-1~18.04ubuntu1.1 |
ubuntu/python3.4 | <3.4.3-1ubuntu1~14.04.7+ | 3.4.3-1ubuntu1~14.04.7+ |
ubuntu/python3.8 | <3.8.0-3~18.04 | 3.8.0-3~18.04 |
ubuntu/python3.8 | <3.8.2-1ubuntu1.2 | 3.8.2-1ubuntu1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-17514 is a vulnerability in the Python 2 and 3 documentation before 2016 that contains potentially misleading information about whether sorting occurs.
The severity of CVE-2019-17514 is high, with a CVSS score of 7.5.
CVE-2019-17514 affects Python 2.7.17-1~18.04ubuntu1.1, Python 2.7.18-1~20.04.1, Python 2.7.6-8ubuntu0.6+, Python 2.7.12-1ubuntu0~16.04.12, Python 3.5.2-2ubuntu0~16.04.11, Python 3.6.9-1~18.04ubuntu1.1, Python 3.4.3-1ubuntu1~14.04.7+, Python 3.8.0-3~18.04, and Python 3.8.2-1ubuntu1.2.
To fix CVE-2019-17514, update your Python version to a patched release, such as Python 2.7.17-1~18.04ubuntu1.1, Python 2.7.18-1~20.04.1, Python 2.7.6-8ubuntu0.6+, Python 2.7.12-1ubuntu0~16.04.12, Python 3.5.2-2ubuntu0~16.04.11, Python 3.6.9-1~18.04ubuntu1.1, Python 3.4.3-1ubuntu1~14.04.7+, Python 3.8.0-3~18.04, or Python 3.8.2-1ubuntu1.2, depending on your operating system.
You can find more information about CVE-2019-17514 at the following references: [1] [2] [3].