urlsplit does not handle NFKC normalization (second fix)¶
Follow up of the urllib NFKC normalization vulnerability: the fix ignored
the user/password before @
whereas it still allowed to exploit the
vulnerability.
The second fix no longer ignores the part before @
.
Dates:
- Disclosure date: 2019-04-27 (Python issue bpo-36742 reported)
- Reported at: 2019-06-03 (email to PSRT)
- Reported by: Riccardo Schirone (Red Hat)
Fixed In¶
- Python 2.7.17 (2019-10-19) fixed by commit f61599b (branch 2.7) (2019-06-04)
- Python 3.5.8 (2019-10-29) fixed by commit 4655d57 (branch 3.5) (2019-07-14)
- Python 3.6.9 (2019-07-02) fixed by commit fd1771d (branch 3.6) (2019-06-04)
- Python 3.7.4 (2019-07-08) fixed by commit 250b62a (branch 3.7) (2019-06-04)
- Python 3.8.0 (2019-10-14) fixed by commit 8d0ef0b (branch 3.8) (2019-06-04)
Python issue¶
CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@.
- Python issue: bpo-36742
- Creation date: 2019-04-27
- Reporter: Chihiro Ito
CVE-2019-10160¶
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
- CVE ID: CVE-2019-10160
- Published: 2019-06-07
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2019-04-27 as reference:
- 2019-04-27: Python issue bpo-36742 reported by Chihiro Ito
- 2019-06-03 (+37 days): Reported (email to PSRT)
- 2019-06-04 (+38 days): commit 250b62a (branch 3.7)
- 2019-06-04 (+38 days): commit 8d0ef0b (branch 3.8)
- 2019-06-04 (+38 days): commit f61599b (branch 2.7)
- 2019-06-04 (+38 days): commit fd1771d (branch 3.6)
- 2019-06-07 (+41 days): CVE-2019-10160 published
- 2019-07-02 (+66 days): Python 3.6.9 released
- 2019-07-08 (+72 days): Python 3.7.4 released
- 2019-07-14 (+78 days): commit 4655d57 (branch 3.5)
- 2019-10-14: Python 3.8.0 released
- 2019-10-19 (+175 days): Python 2.7.17 released
- 2019-10-29 (+185 days): Python 3.5.8 released