CVE-2019-9636

First published: Wed Mar 06 2019(Updated: )

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/python	<0:2.6.6-68.el6_10	0:2.6.6-68.el6_10
redhat/python	<0:2.7.5-77.el7_6	0:2.7.5-77.el7_6
redhat/python	<0:2.7.5-59.el7_4	0:2.7.5-59.el7_4
redhat/python	<0:2.7.5-70.el7_5	0:2.7.5-70.el7_5
redhat/python3	<0:3.6.8-2.el8_0	0:3.6.8-2.el8_0
redhat/rh-python36-python	<0:3.6.3-4.el6	0:3.6.3-4.el6
redhat/python27-python	<0:2.7.13-4.el6	0:2.7.13-4.el6
redhat/rh-python35-python	<0:3.5.1-12.el6	0:3.5.1-12.el6
redhat/rh-python36-python	<0:3.6.3-7.el7	0:3.6.3-7.el7
redhat/python27-python	<0:2.7.13-6.el7	0:2.7.13-6.el7
redhat/rh-python35-python	<0:3.5.1-12.el7	0:3.5.1-12.el7
redhat/redhat-release-virtualization-host	<0:4.2-8.4.el7	0:4.2-8.4.el7
redhat/redhat-virtualization-host	<0:4.2-20190411.1.el7_6	0:4.2-20190411.1.el7_6
redhat/rhvm-appliance	<0:4.2-20190411.1.el7	0:4.2-20190411.1.el7
Python Python	>=2.7.0<2.7.17
Python Python	>=3.0.0<3.4.10
Python Python	>=3.5.0<3.5.7
Python Python	>=3.6.0<3.6.9
Python Python	>=3.7.0<3.7.3
Fedoraproject Fedora	=28
Fedoraproject Fedora	=29
Fedoraproject Fedora	=30
Fedoraproject Fedora	=31
openSUSE Leap	=15.0
openSUSE Leap	=15.1
openSUSE Leap	=42.3
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0
Canonical Ubuntu Linux	=12.04
Canonical Ubuntu Linux	=14.04
Canonical Ubuntu Linux	=16.04
Canonical Ubuntu Linux	=18.04
Canonical Ubuntu Linux	=19.04
Redhat Openshift Container Platform	=3.11
Redhat Enterprise Linux	=7.5
Redhat Enterprise Linux	=8.0
Redhat Enterprise Linux Desktop	=6.0
Redhat Enterprise Linux Eus	=7.5
Redhat Enterprise Linux Eus	=8.1
Redhat Enterprise Linux Eus	=8.2
Redhat Enterprise Linux Eus	=8.4
Redhat Enterprise Linux Eus	=8.6
Redhat Enterprise Linux Server	=6.0
Redhat Enterprise Linux Server Aus	=7.4
Redhat Enterprise Linux Server Aus	=8.2
Redhat Enterprise Linux Server Aus	=8.4
Redhat Enterprise Linux Server Eus	=5.6
Redhat Enterprise Linux Server Tus	=7.4
Redhat Enterprise Linux Server Tus	=8.2
Redhat Enterprise Linux Server Tus	=8.4
Redhat Enterprise Linux Server Tus	=8.6
Redhat Enterprise Linux Workstation	=6.0
Redhat Virtualization	=4.0
Redhat Enterprise Linux	=7.0
Oracle Sun Zfs Storage Appliance Kit	=8.8.6
ubuntu/python2.7	<2.7.15-4ubuntu4~18.04.1	2.7.15-4ubuntu4~18.04.1
ubuntu/python2.7	<2.7.16-2~18.10	2.7.16-2~18.10
ubuntu/python2.7	<2.7.6-8ubuntu0.6+	2.7.6-8ubuntu0.6+
ubuntu/python2.7	<2.7.16-2	2.7.16-2
ubuntu/python2.7	<2.7.12-1ubuntu0~16.04.8	2.7.12-1ubuntu0~16.04.8
ubuntu/python3.4	<3.4.3-1ubuntu1~14.04.7+	3.4.3-1ubuntu1~14.04.7+
ubuntu/python3.5	<3.5.2-2ubuntu0~16.04.8	3.5.2-2ubuntu0~16.04.8
ubuntu/python3.6	<3.6.8-1~18.04.2	3.6.8-1~18.04.2
ubuntu/python3.7	<3.7.3~	3.7.3~
All of
Redhat Virtualization	=4.0
Redhat Enterprise Linux	=7.0
redhat/python	<3.5.7	3.5.7
redhat/python	<3.7.3	3.7.3
debian/python2.7		2.7.16-2+deb10u1 2.7.16-2+deb10u4 2.7.18-8+deb11u1
debian/python3.7		3.7.3-2+deb10u3 3.7.3-2+deb10u7

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/redhat-cve
collector/nvd-index
agent/type
agent/last-modified-date
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/author
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2019-9636
agent/remedy
agent/weakness
agent/references
agent/severity
agent/description
agent/tags
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
package-manager/redhat
vendor/python
canonical/python python
version/python python/2.7.0
version/python python/3.0.0
version/python python/3.5.0
version/python python/3.6.0
version/python python/3.7.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/28
version/fedoraproject fedora/29
version/fedoraproject fedora/30
version/fedoraproject fedora/31
vendor/opensuse
canonical/opensuse leap
version/opensuse leap/15.0
version/opensuse leap/15.1
version/opensuse leap/42.3
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/12.04
version/canonical ubuntu linux/14.04
version/canonical ubuntu linux/16.04
version/canonical ubuntu linux/18.04
version/canonical ubuntu linux/19.04
vendor/redhat
canonical/redhat openshift container platform
version/redhat openshift container platform/3.11
canonical/redhat enterprise linux
version/redhat enterprise linux/7.5
version/redhat enterprise linux/8.0
canonical/redhat enterprise linux desktop
version/redhat enterprise linux desktop/6.0
canonical/redhat enterprise linux eus
version/redhat enterprise linux eus/7.5
version/redhat enterprise linux eus/8.1
version/redhat enterprise linux eus/8.2
version/redhat enterprise linux eus/8.4
version/redhat enterprise linux eus/8.6
canonical/redhat enterprise linux server
version/redhat enterprise linux server/6.0
canonical/redhat enterprise linux server aus
version/redhat enterprise linux server aus/7.4
version/redhat enterprise linux server aus/8.2
version/redhat enterprise linux server aus/8.4
canonical/redhat enterprise linux server eus
version/redhat enterprise linux server eus/5.6
canonical/redhat enterprise linux server tus
version/redhat enterprise linux server tus/7.4
version/redhat enterprise linux server tus/8.2
version/redhat enterprise linux server tus/8.4
version/redhat enterprise linux server tus/8.6
canonical/redhat enterprise linux workstation
version/redhat enterprise linux workstation/6.0
canonical/redhat virtualization
version/redhat virtualization/4.0
version/redhat enterprise linux/7.0
vendor/oracle
canonical/oracle sun zfs storage appliance kit
version/oracle sun zfs storage appliance kit/8.8.6
package-manager/debian
package-manager/ubuntu

CVE-2019-9636

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact