high
7
Advisory Published
Updated

REDHAT-BUG-1718388

First published: Fri Jun 07 2019(Updated: )

A security regression for <a href="https://access.redhat.com/security/cve/CVE-2019-9636">CVE-2019-9636</a> was discovered in python's functions urllib.parse.urlsplit and urllib.parse.urlparse, introduced with commit d537ab0ff9767ef024f26246899728f0116b1ec3. No upstream python version is affected by this regression but the vulnerable commit may already have been included downstream as part of the original fix for <a href="https://access.redhat.com/security/cve/CVE-2019-9636">CVE-2019-9636</a>. Affected python versions ignore the user/password part before `@` in the netloc component of a URL, thus it still allows an attacker to exploit the vulnerability as in <a href="https://access.redhat.com/security/cve/CVE-2019-9636">CVE-2019-9636</a>. Those functions do not properly handle URLs encoded with Punycode/Internationalizing Domain Names in Applications (IDNA), which may result in a wrong domain name (specifically the netloc component of URL - user@domain:port) being returned by those functions. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. External Reference <a href="https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html">https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html</a> Vulnerable commit <a href="https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3">https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3</a> Upstream patch <a href="https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e">https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e</a>

Affected SoftwareAffected VersionHow to fix
Python Babel Localedata

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of REDHAT-BUG-1718388?

    The severity of REDHAT-BUG-1718388 is considered critical due to the potential exploitation of the flaw.

  • How do I fix REDHAT-BUG-1718388?

    To fix REDHAT-BUG-1718388, ensure that your Python installation is updated to the latest version that includes the patch.

  • What vulnerabilities are related to REDHAT-BUG-1718388?

    REDHAT-BUG-1718388 is directly related to the security regression of CVE-2019-9636.

  • What components are affected by REDHAT-BUG-1718388?

    REDHAT-BUG-1718388 affects Python's urllib.parse.urlsplit and urllib.parse.urlparse functions.

  • Who is responsible for addressing REDHAT-BUG-1718388?

    The responsibility for addressing REDHAT-BUG-1718388 lies with the maintainers of the affected Python software.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203