Описание
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
A flaw was found in Python. The webbrowser.open() API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options, which could lead to unexpected behavior, information disclosure, or potentially arbitrary code execution, impacting the integrity of the system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | python3.14 | Affected | ||
| Red Hat Enterprise Linux 6 | python | Affected | ||
| Red Hat Enterprise Linux 7 | python | Affected | ||
| Red Hat Enterprise Linux 7 | python3 | Affected | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Enterprise Linux 8 | python39-devel:3.9/python39 | Not affected | ||
| Red Hat Enterprise Linux 9 | python3.14 | Affected | ||
| Red Hat Enterprise Linux 9 | python3.9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-aws-cuda-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-azure-cuda-rhel9 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
The webbrowser.open() API would accept leading dashes in the URL which ...
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
EPSS
7.1 High
CVSS3