.. _urlsplit-nfkc-normalization2: urlsplit does not handle NFKC normalization (second fix) ======================================================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. Follow up of the urllib NFKC normalization vulnerability: the fix ignored the user/password before ``@`` whereas it still allowed to exploit the vulnerability. The second fix no longer ignores the part before ``@``. Dates: * Disclosure date: **2019-04-27** (Python issue bpo-36742 reported) * Reported at: 2019-06-03 (email to PSRT) * Reported by: Riccardo Schirone (Red Hat) Fixed In -------- * Python **2.7.17** (2019-10-19) fixed by `commit f61599b (branch 2.7) `_ (2019-06-04) * Python **3.5.8** (2019-10-29) fixed by `commit 4655d57 (branch 3.5) `_ (2019-07-14) * Python **3.6.9** (2019-07-02) fixed by `commit fd1771d (branch 3.6) `_ (2019-06-04) * Python **3.7.4** (2019-07-08) fixed by `commit 250b62a (branch 3.7) `_ (2019-06-04) * Python **3.8.0** (2019-10-14) fixed by `commit 8d0ef0b (branch 3.8) `_ (2019-06-04) Python issue ------------ CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@. * Python issue: `bpo-36742 `_ * Creation date: 2019-04-27 * Reporter: Chihiro Ito CVE-2019-10160 -------------- A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. * CVE ID: `CVE-2019-10160 `_ * Published: 2019-06-07 * `CVSS Score `_: 5.0 Timeline -------- Timeline using the disclosure date **2019-04-27** as reference: * 2019-04-27: `Python issue bpo-36742 `_ reported by Chihiro Ito * 2019-06-03 (**+37 days**): Reported (email to PSRT) * 2019-06-04 (**+38 days**): `commit 250b62a (branch 3.7) `_ * 2019-06-04 (**+38 days**): `commit 8d0ef0b (branch 3.8) `_ * 2019-06-04 (**+38 days**): `commit f61599b (branch 2.7) `_ * 2019-06-04 (**+38 days**): `commit fd1771d (branch 3.6) `_ * 2019-06-07 (**+41 days**): CVE-2019-10160 published * 2019-07-02 (**+66 days**): Python 3.6.9 released * 2019-07-08 (**+72 days**): Python 3.7.4 released * 2019-07-14 (**+78 days**): `commit 4655d57 (branch 3.5) `_ * 2019-10-14: Python 3.8.0 released * 2019-10-19 (**+175 days**): Python 2.7.17 released * 2019-10-29 (**+185 days**): Python 3.5.8 released