Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-9948

Опубликовано: 23 мар. 2019
Источник: debian

Описание

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python3.7fixed3.7.4~rc2-2package
python3.7fixed3.7.3-2+deb10u1busterpackage
python3.6removedpackage
python3.5removedpackage
python3.4removedpackage
python2.7fixed2.7.16-2package

Примечания

  • https://bugs.python.org/issue35907

  • https://github.com/python/cpython/pull/11842

  • https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b (3.7)

  • https://github.com/python/cpython/commit/4f06dae5d8d4400ba38d8502da620f07d4a5696e (3.6)

  • https://github.com/python/cpython/commit/b15bde8058e821b383d81fcae68b335a752083ca (2.7)

  • https://github.com/python/cpython/commit/942c31dffbe886ff02e25a319cc3891220b8c641 (2.7)

Связанные уязвимости

ubuntu логотип

CVE-2019-9948

CVSS3: 9.1
ubuntu
около 6 лет назад

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

redhat логотип

CVE-2019-9948

CVSS3: 7.4
redhat
около 6 лет назад

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

nvd логотип

CVE-2019-9948

CVSS3: 9.1
nvd
около 6 лет назад

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

github логотип

GHSA-24p8-x4mp-cq86

CVSS3: 9.1
github
около 3 лет назад

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

fstec логотип

BDU:2019-01741

fstec
около 6 лет назад

Уязвимость модуля urllib интерпретатора языка программирования Python, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность