Vulnerability CVE-2019-9948
Published: 2019-03-23

Description:
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Type:

CWE-254

 (Security Features)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
Python -> Python 
Opensuse -> LEAP 
Netapp -> Active iq performance analytics services 

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html
http://www.securityfocus.com/bid/107549
https://bugs.python.org/issue35907
https://github.com/python/cpython/pull/11842
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
https://security.netapp.com/advisory/ntap-20190404-0004/
Copyright 2024, cxsecurity.com

 

Back to Top