{"api_version":"1","generated_at":"2026-04-22T20:52:24+00:00","cve":"CVE-2019-17514","urls":{"html":"https://cve.report/CVE-2019-17514","api":"https://cve.report/api/cve/CVE-2019-17514.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-17514","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-17514"},"summary":{"title":"CVE-2019-17514","description":"library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-10-12 13:15:00","updated_at":"2020-07-27 18:15:00"},"problem_types":["NVD-CWE-noinfo","CWE-682"],"metrics":[],"references":[{"url":"https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies","name":"https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies","refsource":"MISC","tags":["Press/Media Coverage","Third Party Advisory"],"title":"A Code Glitch May Have Caused Errors In More Than 100 Published Studies - VICE","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405","name":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"bash/pathexp.c at ac50fbac377e32b98d2de396f016ea81e8ee9961 · bminor/bash · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html","name":"https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html","refsource":"MISC","tags":["Vendor Advisory"],"title":"10.7. glob — Unix style pathname pattern expansion — Python 2.7.11 documentation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://usn.ubuntu.com/4428-1/","name":"USN-4428-1","refsource":"UBUNTU","tags":[],"title":"USN-4428-1: Python vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.python.org/issue33275","name":"https://bugs.python.org/issue33275","refsource":"MISC","tags":["Issue Tracking","Vendor Advisory"],"title":"Issue 33275: glob.glob should explicitly note that results aren't sorted - Python tracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://twitter.com/LucasCMoore/status/1181615421922824192","name":"https://twitter.com/LucasCMoore/status/1181615421922824192","refsource":"MISC","tags":["Issue Tracking","Third Party Advisory"],"title":"Lucas Moore on Twitter: \"Holy crap. Huge bug uncovered in computational chemistry software because different operating systems sort files differently and the published scripts don’t handle it well. If you do or rely on calculated NMR chemical shifts, this is a must-read. \n\nhttps://t.co/p0PNpMIGgf\"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html","name":"https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html","refsource":"MISC","tags":["Vendor Advisory"],"title":"10.7. glob — Unix style pathname pattern expansion — Python 2.7.10 documentation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380","name":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"bash/pathexp.c at ac50fbac377e32b98d2de396f016ea81e8ee9961 · bminor/bash · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://twitter.com/chris_bloke/status/1181997278136958976","name":"https://twitter.com/chris_bloke/status/1181997278136958976","refsource":"MISC","tags":["Third Party Advisory"],"title":"Chris Samuel on Twitter: \"I do wonder if they also need to set the environment variable \"LC_ALL=C\" to be sure that Python's own ordering will always be consistent too. https://t.co/NLdcPPtRnw… https://t.co/rRXX5IgfhS\"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html","name":"https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html","refsource":"MISC","tags":["Vendor Advisory"],"title":"11.7. glob — Unix style pathname pattern expansion — Python 3.4.3 documentation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20191107-0005/","name":"https://security.netapp.com/advisory/ntap-20191107-0005/","refsource":"CONFIRM","tags":[],"title":"CVE-2019-17514 Python Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html","name":"https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html","refsource":"MISC","tags":["Vendor Advisory"],"title":"11.7. glob — Unix style pathname pattern expansion — Python 3.5.1 documentation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216","name":"https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216","refsource":"MISC","tags":["Third Party Advisory"],"title":"OOPS","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip","name":"https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip","refsource":"MISC","tags":["Third Party Advisory"],"title":"","mime":"application/zip","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-17514","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17514","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"17514","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"3.6.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17514","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"3.7.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17514","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"3.8.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17514","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"3.6.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17514","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"3.7.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17514","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"3.8.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-17514","qid":"198293","title":"Ubuntu Security Notification for Python2.7, Python3.7, Python3.8 Vulnerabilities (USN-4754-3)"},{"cve":"CVE-2019-17514","qid":"671062","title":"EulerOS Security Update for python (EulerOS-SA-2019-2442)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-17514","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html","refsource":"MISC","name":"https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html"},{"url":"https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html","refsource":"MISC","name":"https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html"},{"url":"https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html","refsource":"MISC","name":"https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html"},{"url":"https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html","refsource":"MISC","name":"https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html"},{"url":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380","refsource":"MISC","name":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380"},{"url":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405","refsource":"MISC","name":"https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405"},{"url":"https://bugs.python.org/issue33275","refsource":"MISC","name":"https://bugs.python.org/issue33275"},{"url":"https://twitter.com/LucasCMoore/status/1181615421922824192","refsource":"MISC","name":"https://twitter.com/LucasCMoore/status/1181615421922824192"},{"url":"https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip","refsource":"MISC","name":"https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip"},{"url":"https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216","refsource":"MISC","name":"https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216"},{"url":"https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies","refsource":"MISC","name":"https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies"},{"refsource":"MISC","name":"https://twitter.com/chris_bloke/status/1181997278136958976","url":"https://twitter.com/chris_bloke/status/1181997278136958976"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20191107-0005/","url":"https://security.netapp.com/advisory/ntap-20191107-0005/"},{"refsource":"UBUNTU","name":"USN-4428-1","url":"https://usn.ubuntu.com/4428-1/"}]}},"nvd":{"publishedDate":"2019-10-12 13:15:00","lastModifiedDate":"2020-07-27 18:15:00","problem_types":["NVD-CWE-noinfo","CWE-682"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:3.8.0:-:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:3.6.0:-:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:3.7.0:-:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"17514","Ordinal":"157340","Title":"CVE-2019-17514","CVE":"CVE-2019-17514","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"17514","Ordinal":"1","NoteData":"library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"17514","Ordinal":"2","NoteData":"2019-10-12","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"17514","Ordinal":"3","NoteData":"2020-07-27","Type":"Other","Title":"Modified"}]}}}