First published: Wed Mar 06 2019(Updated: )
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python | <0:2.6.6-68.el6_10 | 0:2.6.6-68.el6_10 |
redhat/python | <0:2.7.5-77.el7_6 | 0:2.7.5-77.el7_6 |
redhat/python | <0:2.7.5-59.el7_4 | 0:2.7.5-59.el7_4 |
redhat/python | <0:2.7.5-70.el7_5 | 0:2.7.5-70.el7_5 |
redhat/python3 | <0:3.6.8-2.el8_0 | 0:3.6.8-2.el8_0 |
redhat/rh-python36-python | <0:3.6.3-4.el6 | 0:3.6.3-4.el6 |
redhat/python27-python | <0:2.7.13-4.el6 | 0:2.7.13-4.el6 |
redhat/rh-python35-python | <0:3.5.1-12.el6 | 0:3.5.1-12.el6 |
redhat/rh-python36-python | <0:3.6.3-7.el7 | 0:3.6.3-7.el7 |
redhat/python27-python | <0:2.7.13-6.el7 | 0:2.7.13-6.el7 |
redhat/rh-python35-python | <0:3.5.1-12.el7 | 0:3.5.1-12.el7 |
redhat/redhat-release-virtualization-host | <0:4.2-8.4.el7 | 0:4.2-8.4.el7 |
redhat/redhat-virtualization-host | <0:4.2-20190411.1.el7_6 | 0:4.2-20190411.1.el7_6 |
redhat/rhvm-appliance | <0:4.2-20190411.1.el7 | 0:4.2-20190411.1.el7 |
Python Python | >=2.7.0<2.7.17 | |
Python Python | >=3.0.0<3.4.10 | |
Python Python | >=3.5.0<3.5.7 | |
Python Python | >=3.6.0<3.6.9 | |
Python Python | >=3.7.0<3.7.3 | |
Fedoraproject Fedora | =28 | |
Fedoraproject Fedora | =29 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
openSUSE Leap | =15.0 | |
openSUSE Leap | =15.1 | |
openSUSE Leap | =42.3 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
Redhat Openshift Container Platform | =3.11 | |
Redhat Enterprise Linux | =7.5 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Desktop | =6.0 | |
Redhat Enterprise Linux Eus | =7.5 | |
Redhat Enterprise Linux Eus | =8.1 | |
Redhat Enterprise Linux Eus | =8.2 | |
Redhat Enterprise Linux Eus | =8.4 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Server | =6.0 | |
Redhat Enterprise Linux Server Aus | =7.4 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Eus | =5.6 | |
Redhat Enterprise Linux Server Tus | =7.4 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.6 | |
Redhat Enterprise Linux Workstation | =6.0 | |
Redhat Virtualization | =4.0 | |
Redhat Enterprise Linux | =7.0 | |
Oracle Sun Zfs Storage Appliance Kit | =8.8.6 | |
ubuntu/python2.7 | <2.7.15-4ubuntu4~18.04.1 | 2.7.15-4ubuntu4~18.04.1 |
ubuntu/python2.7 | <2.7.16-2~18.10 | 2.7.16-2~18.10 |
ubuntu/python2.7 | <2.7.6-8ubuntu0.6+ | 2.7.6-8ubuntu0.6+ |
ubuntu/python2.7 | <2.7.16-2 | 2.7.16-2 |
ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.8 | 2.7.12-1ubuntu0~16.04.8 |
ubuntu/python3.4 | <3.4.3-1ubuntu1~14.04.7+ | 3.4.3-1ubuntu1~14.04.7+ |
ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.8 | 3.5.2-2ubuntu0~16.04.8 |
ubuntu/python3.6 | <3.6.8-1~18.04.2 | 3.6.8-1~18.04.2 |
ubuntu/python3.7 | <3.7.3~ | 3.7.3~ |
All of | ||
Redhat Virtualization | =4.0 | |
Redhat Enterprise Linux | =7.0 | |
redhat/python | <3.5.7 | 3.5.7 |
redhat/python | <3.7.3 | 3.7.3 |
debian/python2.7 | 2.7.16-2+deb10u1 2.7.16-2+deb10u4 2.7.18-8+deb11u1 | |
debian/python3.7 | 3.7.3-2+deb10u3 3.7.3-2+deb10u7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)