REDHAT-BUG-1695570
First published: Wed Apr 03 2019(Updated: )
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. Reference: <a href="https://bugs.python.org/issue35907">https://bugs.python.org/issue35907</a> <a href="https://github.com/python/cpython/pull/11842">https://github.com/python/cpython/pull/11842</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| urllib3 | <=2.7.16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.python.org/issue35907
- https://github.com/python/cpython/pull/11842
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1695599
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1695600
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1698976
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1698977
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1698978
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1698979
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1698980
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1698981
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1698982
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1700688
- https://access.redhat.com/errata/RHSA-2019:1700
- https://access.redhat.com/security/cve/cve-2019-9948
- https://access.redhat.com/errata/RHSA-2019:2030
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2019:3520
- https://access.redhat.com/errata/RHSA-2020:1268
- https://access.redhat.com/errata/RHSA-2020:1346
- https://access.redhat.com/errata/RHSA-2020:1462
- https://bugzilla.redhat.com/show_bug.cgi?id=1695570
Frequently Asked Questions
What is the severity of REDHAT-BUG-1695570?
The severity of REDHAT-BUG-1695570 is considered high due to the potential for remote code execution via local file access.
How do I fix REDHAT-BUG-1695570?
To fix REDHAT-BUG-1695570, upgrade urllib to version 2.7.17 or later, which addresses this vulnerability.
Who is affected by REDHAT-BUG-1695570?
Users of Python urllib versions up to and including 2.7.16 are affected by REDHAT-BUG-1695570.
What is the impact of REDHAT-BUG-1695570?
The impact of REDHAT-BUG-1695570 allows attackers to bypass file protection mechanisms and access sensitive system files.
What types of attacks leverage REDHAT-BUG-1695570?
Remote attackers can exploit REDHAT-BUG-1695570 to invoke urllib with malicious file URIs, potentially leading to unauthorized data exposure.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-9948
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/python
- canonical/urllib3