Search criteria
8 vulnerabilities found for Python by Python
CERTFR-2025-AVI-1068
Vulnerability from certfr_avis - Published: 2025-12-05 - Updated: 2025-12-05
Une vulnérabilité a été découverte dans Python. Elle permet à un attaquant de provoquer un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Python sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-12084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12084"
}
],
"initial_release_date": "2025-12-05T00:00:00",
"last_revision_date": "2025-12-05T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1068",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-05T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Python. Elle permet \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
"title": "Vuln\u00e9rabilit\u00e9 dans Python",
"vendor_advisories": [
{
"published_at": "2025-12-03",
"title": "Bulletin de s\u00e9curit\u00e9 Python PSF-2025-16",
"url": "https://raw.githubusercontent.com/psf/advisory-database/main/advisories/python/PSF-2025-16.json"
}
]
}
CERTFR-2024-AVI-0540
Vulnerability from certfr_avis - Published: 2024-07-04 - Updated: 2024-07-04
De multiples vulnérabilités ont été découvertes dans Python. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "CPython versions ant\u00e9rieures \u00e0 3.10.14, 3.11.9, 3.12.4 et 3.13.0a6",
"product": {
"name": "CPython",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions ant\u00e9rieures \u00e0 3.10",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-5642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5642"
},
{
"name": "CVE-2024-0397",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0397"
},
{
"name": "CVE-2024-4032",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4032"
}
],
"initial_release_date": "2024-07-04T00:00:00",
"last_revision_date": "2024-07-04T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0540",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-07-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Python. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Python",
"vendor_advisories": [
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Python BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Python NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/"
},
{
"published_at": "2024-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Python PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"
}
]
}
CERTFR-2022-AVI-1017
Vulnerability from certfr_avis - Published: 2022-11-10 - Updated: 2022-11-10
Une vulnérabilité a été découverte dans Python 3. Elle permet à un attaquant de provoquer un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Python | Python | Python versions 3.10 antérieures à 3.10.9 | ||
| Python | Python | Python versions 3.11 antérieures à 3.11.1 | ||
| Python | Python | Python versions 3.9 antérieures à 3.9.16 | ||
| Python | Python | Python versions 3.8 antérieures à 3.8.16 | ||
| Python | Python | Python versions 3.7 antérieures à 3.7.16 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Python versions 3.10 ant\u00e9rieures \u00e0 3.10.9",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions 3.11 ant\u00e9rieures \u00e0 3.11.1",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions 3.9 ant\u00e9rieures \u00e0 3.9.16",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions 3.8 ant\u00e9rieures \u00e0 3.8.16",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions 3.7 ant\u00e9rieures \u00e0 3.7.16",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-45061",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
}
],
"initial_release_date": "2022-11-10T00:00:00",
"last_revision_date": "2022-11-10T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-1017",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-11-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Python 3. Elle permet \u00e0 un\nattaquant de provoquer un d\u00e9ni de service \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Python 3",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Python 3 du 08 novembre 2022",
"url": "https://python-security.readthedocs.io/vuln/slow-idna-large-strings.html"
}
]
}
CERTFR-2022-AVI-996
Vulnerability from certfr_avis - Published: 2022-11-07 - Updated: 2022-11-07
Une vulnérabilité a été découverte dans Python 3. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Python versions 3.7 \u00e0 3.10 ant\u00e9rieures \u00e0 3.11",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-37454",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37454"
}
],
"initial_release_date": "2022-11-07T00:00:00",
"last_revision_date": "2022-11-07T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-996",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-11-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Python 3. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Python 3",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Python 3 du 21 octobre 2022",
"url": "https://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html"
}
]
}
CERTFR-2021-AVI-140
Vulnerability from certfr_avis - Published: 2021-02-22 - Updated: 2021-02-22
Une vulnérabilité a été découverte dans Python. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Python versions 3.7.x ant\u00e9rieures \u00e0 3.7.10",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions 3.6.x ant\u00e9rieures \u00e0 3.6.13",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions 3.8.x ant\u00e9rieures \u00e0 3.8.8",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Python versions 3.9.x ant\u00e9rieures \u00e0 3.9.2",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-3177",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3177"
}
],
"initial_release_date": "2021-02-22T00:00:00",
"last_revision_date": "2021-02-22T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-140",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-02-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Python. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Python",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Python CVE-2021-3177 du 19 janvier 2021",
"url": "https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html"
}
]
}
CERTA-2008-AVI-345
Vulnerability from certfr_avis - Published: 2008-07-02 - Updated: 2008-07-02None
Description
Plusieurs vulnérabilités de type débordement de mémoire ont été découvertes dans l'interpréteur de commandes Python. Elles permettent à un utilisateur distant malintentionné de porter atteinte à la confidentialité des données, de provoquer un déni de service ou d'exécuter du code arbitraire.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneReferences
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Python 2.4.",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nPlusieurs vuln\u00e9rabilit\u00e9s de type d\u00e9bordement de m\u00e9moire ont \u00e9t\u00e9\nd\u00e9couvertes dans l\u0027interpr\u00e9teur de commandes Python. Elles permettent \u00e0\nun utilisateur distant malintentionn\u00e9 de porter atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es, de provoquer un d\u00e9ni de service ou\nd\u0027ex\u00e9cuter du code arbitraire.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2008-1679",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1679"
},
{
"name": "CVE-2008-1721",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1721"
},
{
"name": "CVE-2008-1887",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1887"
}
],
"initial_release_date": "2008-07-02T00:00:00",
"last_revision_date": "2008-07-02T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Gentoo GLSA-200807-01 du 02 juillet 2008 :",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200807-01.xml"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Debian DSA 1551 du 19 avril 2008 :",
"url": "http://www.debian.org/security/2008/dsa-1551"
}
],
"reference": "CERTA-2008-AVI-345",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2008-07-02T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": null,
"title": "Vuln\u00e9rabilit\u00e9s dans Python",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Gentoo GLSA-200807-01 du 01 juillet 2008",
"url": null
}
]
}
CERTA-2005-AVI-063
Vulnerability from certfr_avis - Published: 2005-02-10 - Updated: 2005-02-17None
Description
Python est un langage de programmation interprété, interactif et orienté
objet.
Une vulnérabilité dans SimpleXMLRPCServer permet à un utilisateur mal
intentionné d'exécuter du code arbitraire à distance avec les droits du
serveur XML-RPC.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "toutes les versions de Python 2.3 ant\u00e9rieure \u00e0 la version 2.3.5 ;",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "toutes les versions de Python 2.4.",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
},
{
"description": "Toutes les versions de Python 2.2 ;",
"product": {
"name": "Python",
"vendor": {
"name": "Python",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nPython est un langage de programmation interpr\u00e9t\u00e9, interactif et orient\u00e9\nobjet. \nUne vuln\u00e9rabilit\u00e9 dans SimpleXMLRPCServer permet \u00e0 un utilisateur mal\nintentionn\u00e9 d\u0027ex\u00e9cuter du code arbitraire \u00e0 distance avec les droits du\nserveur XML-RPC.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2005-02-10T00:00:00",
"last_revision_date": "2005-02-17T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:108 du 17 f\u00e9vrier 2005 :",
"url": "http://rhn.redhat.com/errata/RHSA-2005-108.html"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Debian DSA-666 du 04 f\u00e9vrier 2005 :",
"url": "http://www.debian.org/security/2005/dsa-666"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Gentoo GLSA 200502-09 du 08 f\u00e9vrier 2005 :",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200502-09.xml"
},
{
"title": "Site Internet de Python :",
"url": "http://www.python.org"
},
{
"title": "Mise \u00e0 jour de s\u00e9curit\u00e9 des paquetages NetBSD python22, python23 et python24 :",
"url": "ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/lang/python22/README.html"
},
{
"title": "Mise \u00e0 jour de s\u00e9curit\u00e9 des paquetages NetBSD python22, python23 et python24 :",
"url": "ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/lang/python24/README.html"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:109 du 14 f\u00e9vrier 2005 :",
"url": "http://rhn.redhat.com/errata/RHSA-2005-109.html"
},
{
"title": "Mise \u00e0 jour de s\u00e9curit\u00e9 des paquetages NetBSD python22, python23 et python24 :",
"url": "ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/lang/python23/README.html"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Mandrake MDKSA-2005:035 du 10 f\u00e9vrier 2005 :",
"url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:035"
}
],
"reference": "CERTA-2005-AVI-063",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2005-02-10T00:00:00.000000"
},
{
"description": "ajout de la r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 Mandrake MDKSA-2005:035.",
"revision_date": "2005-02-11T00:00:00.000000"
},
{
"description": "ajout de la r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:109.",
"revision_date": "2005-02-14T00:00:00.000000"
},
{
"description": "ajout de la r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:108.",
"revision_date": "2005-02-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": null,
"title": "Vuln\u00e9rabilit\u00e9 de Python",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Python PSF-2005-001",
"url": "http://www.python.org/security/PSF-2005-001"
}
]
}
CVE-2019-10160 (GCVE-0-2019-10160)
Vulnerability from cvelistv5 – Published: 2019-06-07 17:50 – Updated: 2024-08-04 22:10
VLAI?
Summary
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:10.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190617-0003/"
},
{
"name": "RHSA-2019:1587",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1587"
},
{
"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
},
{
"name": "RHSA-2019:1700",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1700"
},
{
"name": "FEDORA-2019-7723d4774a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/"
},
{
"name": "FEDORA-2019-7df59302e0",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/"
},
{
"name": "FEDORA-2019-9bfb4a3e4b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/"
},
{
"name": "FEDORA-2019-60a1defcd1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/"
},
{
"name": "RHSA-2019:2437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"name": "openSUSE-SU-2019:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html"
},
{
"name": "USN-4127-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4127-2/"
},
{
"name": "USN-4127-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4127-1/"
},
{
"name": "FEDORA-2019-50772cf122",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/"
},
{
"name": "FEDORA-2019-5dc275c9f2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/"
},
{
"name": "FEDORA-2019-2b1f72899a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/"
},
{
"name": "FEDORA-2019-b06ec6159b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"
},
{
"name": "FEDORA-2019-d202cda4f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"
},
{
"name": "FEDORA-2019-57462fa10d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"
},
{
"name": "openSUSE-SU-2020:0086",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"
},
{
"name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "python",
"vendor": "Python",
"versions": [
{
"status": "affected",
"version": "affects 2.7, 3.5, 3.6, 3.7, \u003e= v3.8.0a4 and \u003c v3.8.0b1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-172",
"description": "CWE-172",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-22T16:06:12.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190617-0003/"
},
{
"name": "RHSA-2019:1587",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1587"
},
{
"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
},
{
"name": "RHSA-2019:1700",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1700"
},
{
"name": "FEDORA-2019-7723d4774a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/"
},
{
"name": "FEDORA-2019-7df59302e0",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/"
},
{
"name": "FEDORA-2019-9bfb4a3e4b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/"
},
{
"name": "FEDORA-2019-60a1defcd1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/"
},
{
"name": "RHSA-2019:2437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"name": "openSUSE-SU-2019:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html"
},
{
"name": "USN-4127-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4127-2/"
},
{
"name": "USN-4127-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4127-1/"
},
{
"name": "FEDORA-2019-50772cf122",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/"
},
{
"name": "FEDORA-2019-5dc275c9f2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/"
},
{
"name": "FEDORA-2019-2b1f72899a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/"
},
{
"name": "FEDORA-2019-b06ec6159b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"
},
{
"name": "FEDORA-2019-d202cda4f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"
},
{
"name": "FEDORA-2019-57462fa10d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"
},
{
"name": "openSUSE-SU-2020:0086",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"
},
{
"name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10160",
"datePublished": "2019-06-07T17:50:33.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:10.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}