CVE - CVE-2019-9948

CVE-ID
CVE-2019-9948	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:107549 URL:http://www.securityfocus.com/bid/107549 BUGTRAQ:20191021 [slackware-security] python (SSA:2019-293-01) URL:https://seclists.org/bugtraq/2019/Oct/29 CONFIRM:https://security.netapp.com/advisory/ntap-20190404-0004/ FEDORA:FEDORA-2019-60a1defcd1 URL:https://lists.fedoraproject.org/archives/list/[email protected]/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/ FEDORA:FEDORA-2019-9bfb4a3e4b URL:https://lists.fedoraproject.org/archives/list/[email protected]/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/ GENTOO:GLSA-202003-26 URL:https://security.gentoo.org/glsa/202003-26 MISC:http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html MISC:https://bugs.python.org/issue35907 MISC:https://github.com/python/cpython/pull/11842 MLIST:[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image URL:https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E MLIST:[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update URL:https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html MLIST:[debian-lts-announce] 20190711 [SECURITY] [DLA 1852-1] python3.4 security update URL:https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html MLIST:[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update URL:https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html MLIST:[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update URL:https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html REDHAT:RHSA-2019:1700 URL:https://access.redhat.com/errata/RHSA-2019:1700 REDHAT:RHSA-2019:2030 URL:https://access.redhat.com/errata/RHSA-2019:2030 REDHAT:RHSA-2019:3335 URL:https://access.redhat.com/errata/RHSA-2019:3335 REDHAT:RHSA-2019:3520 URL:https://access.redhat.com/errata/RHSA-2019:3520 SUSE:openSUSE-SU-2019:1273 URL:http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html SUSE:openSUSE-SU-2019:1580 URL:http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html UBUNTU:USN-4127-1 URL:https://usn.ubuntu.com/4127-1/ UBUNTU:USN-4127-2 URL:https://usn.ubuntu.com/4127-2/
Assigning CNA
MITRE Corporation
Date Record Created
20190323	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190323)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)