低危 python: CVE-2019-9636的回归,由于函数修正,允许netloc中的端口号

CVE编号

CVE-2019-10160

利用情况

暂无

补丁情况

官方补丁

披露时间

2019-06-08
漏洞描述
自从提交d537ab0ff9767ef024f266899728f0116b1ec3以来,python中发现了CVE-2019-9636的安全回归,影响了版本2.7、3.5、3.6、3.7以及从v3.8.0a4到v3.8.0b1,这仍然允许攻击者利用CVE-2019-9636滥用URL的用户和密码部分。当应用程序解析用户提供的URL以存储cookie,身份验证凭据或其他类型的信息时,攻击者可能会提供特制URL以使应用程序找到与主机相关的信息(例如cookie,身份验证数据)并发送它们与不同的主机不同,不像URL已正确解析。攻击的结果可能因应用程序而异。

解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://bugs.python.org/issue36742
参考链接
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
https://access.redhat.com/errata/RHSA-2019:1587
https://access.redhat.com/errata/RHSA-2019:1700
https://access.redhat.com/errata/RHSA-2019:2437
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160
https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09
https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a70533...
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html
https://security.netapp.com/advisory/ntap-20190617-0003/
https://usn.ubuntu.com/4127-1/
https://usn.ubuntu.com/4127-2/
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 python python * From
(including)
3.8.0a4
Up to
(including)
3.8.0b1
运行在以下环境
应用 python python 3.5.0 -
运行在以下环境
应用 python python 3.6.0 -
运行在以下环境
应用 python python 3.7 -
运行在以下环境
系统 alibaba_cloud_linux_3 python3 * Up to
(excluding)
3.6.8-39.1.al8
运行在以下环境
系统 amazon_2 python * Up to
(excluding)
2.7.16-2.amzn2.0.1
运行在以下环境
系统 amazon_AMI python27 * Up to
(excluding)
2.7.16-1.129.amzn1
运行在以下环境
系统 centos_7 python * Up to
(excluding)
2.7.5-80.el7_6
运行在以下环境
系统 debian_10 python2.7 * Up to
(excluding)
2.7.16-2+deb10u1
运行在以下环境
系统 debian_11 python2.7 * Up to
(excluding)
2.7.16-3
运行在以下环境
系统 debian_9 python3.5 * Up to
(excluding)
3.5.3-1+deb9u2
运行在以下环境
系统 fedora_29 python3 * Up to
(excluding)
3.7.4-1.fc29
运行在以下环境
系统 fedora_30 python3 * Up to
(excluding)
3.7.4-1.fc30
运行在以下环境
系统 fedora_31 python34 * Up to
(excluding)
3.4.10-5.fc31
运行在以下环境
系统 fedora_EPEL_6 python34 * Up to
(excluding)
3.4.10-4.el6
运行在以下环境
系统 fedora_EPEL_7 python34 * Up to
(excluding)
3.4.10-4.el7
运行在以下环境
系统 kylinos_aarch64_V10 python * Up to
(excluding)
2.7.5-89.el7.ns7.01
运行在以下环境
系统 kylinos_x86_64_V10 python * Up to
(excluding)
2.7.5-89.el7.ns7.01
运行在以下环境
系统 opensuse_Leap_15.0 python * Up to
(excluding)
2.7.14-lp151.10.3.1
运行在以下环境
系统 opensuse_Leap_15.1 python * Up to
(excluding)
2.7.14-lp151.10.3.1
运行在以下环境
系统 oracle_6 python * Up to
(excluding)
2.6.6-68.0.1.el6_10
运行在以下环境
系统 oracle_7 python * Up to
(excluding)
2.7.5-80.0.1.el7_6
运行在以下环境
系统 redhat_7 python * Up to
(excluding)
2.7.5-80.el7_6
运行在以下环境
系统 suse_12_SP4 python * Up to
(excluding)
2.7.13-28.31.1
运行在以下环境
系统 suse_12_SP5 python36 * Up to
(excluding)
3.6.10-4.3.5
运行在以下环境
系统 ubuntu_16.04 python2.7 * Up to
(excluding)
3.5.2-2ubuntu0~16.04.8
阿里云评分
3.1
  • 攻击路径
    远程
  • 攻击复杂度
    复杂
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    100
CWE-ID 漏洞类型
CWE-172 编码错误
CWE-522 不充分的凭证保护机制
阿里云安全产品覆盖情况