CVE-2019-10160

Summary

CVE	CVE-2019-10160
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-06-07 18:29:00 UTC
Updated	2023-02-12 23:33:00 UTC
Description	A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Risk And Classification

Problem Types: CWE-172

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	29	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Application	Netapp	Cloud Backup	-	All	All	All
Application	Netapp	Converged Systems Advisor Agent	-	All	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Python	Python	All	All	All	All
Application	Python	Python	3.5.0	All	All	All
Application	Python	Python	3.6.0	All	All	All
Application	Python	Python	3.7	All	All	All
Application	Python	Python	3.8.0	alpha4	All	All
Application	Python	Python	3.8.0	beta1	All	All
Application	Python	Python	3.5.0	All	All	All
Application	Python	Python	3.6.0	All	All	All
Application	Python	Python	3.7	All	All	All
Application	Python	Python	All	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.6	All	All	All
Operating System	Redhat	Enterprise Linux Server	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.6	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	7.0	All	All	All
Application	Redhat	Virtualization	4.0	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 30 Update: python3-3.7.4-1.fc30 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] [DLA 2280-1] python3.5 security update	MLIST	lists.debian.org
[SECURITY] Fedora 29 Update: python36-3.6.9-1.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
bpo-36742: Corrects fix to handle decomposition in usernames (#13812) · python/cpython@8d0ef0b · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
[SECURITY] Fedora 31 Update: python35-3.5.8-2.fc31 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 29 Update: python3-3.7.4-1.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 31 Update: python34-3.4.10-6.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
USN-4127-1: Python vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
[SECURITY] Fedora 30 Update: python35-3.5.8-2.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
[SECURITY] Fedora 31 Update: python34-3.4.10-6.fc31 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[security-announce] openSUSE-SU-2020:0086-1: important: Security update	SUSE	lists.opensuse.org
urlsplit does not handle NFKC normalization (second fix) — Python Security 0.0 documentation	MISC	python-security.readthedocs.io	Third Party Advisory
[SECURITY] Fedora 29 Update: python35-3.5.8-2.fc29 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
1718388 – (CVE-2019-10160) CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
[SECURITY] Fedora 30 Update: python35-3.5.8-2.fc30 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
USN-4127-2: Python vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) · python/cpython@250b62a · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
bpo-36742: Corrects fix to handle decomposition in usernames (GH-1381… · python/cpython@fd1771d · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
[SECURITY] Fedora 29 Update: python3-3.7.4-1.fc29 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
1718388 – (CVE-2019-10160) CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc	MISC	bugzilla.redhat.com
[SECURITY] [DLA 1834-1] python2.7 security update	MLIST	lists.debian.org
CVE-2019-10160 Python Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	MISC	access.redhat.com
[SECURITY] Fedora 29 Update: python34-3.4.10-3.fc29 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 29 Update: python36-3.6.9-1.fc29 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 29 Update: python35-3.5.8-2.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 30 Update: python36-3.6.9-1.fc30 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 31 Update: python35-3.5.8-2.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Pony Mail!	MISC	lists.apache.org
[SECURITY] Fedora 30 Update: python3-3.7.4-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 30 Update: python34-3.4.10-3.fc30 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Red Hat Customer Portal	REDHAT	access.redhat.com
[security-announce] openSUSE-SU-2019:1906-1: important: Security update	SUSE	lists.opensuse.org
[SECURITY] Fedora 30 Update: python34-3.4.10-3.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Red Hat Customer Portal	REDHAT	access.redhat.com
[SECURITY] Fedora 30 Update: python36-3.6.9-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] [DLA 2337-1] python2.7 security update	MLIST	lists.debian.org
[SECURITY] Fedora 29 Update: python34-3.4.10-3.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) · python/cpython@f61599b · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

296081 Oracle Solaris 11.4 Support Repository Update (SRU) 12.5.0 Missing (CPUJUL2019)
377387 Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2021:0080)