CVE-2019-9636 : Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handl

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Published 2019-03-08 21:29:01

Updated 2022-07-25 18:15:17

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2019-9636

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.1
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 5.6
cpe:2.3:o:redhat:enterprise_linux_server_eus:5.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.2
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.4
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
Matching versions
Redhat » Virtualization » Version: 4.0
cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
Oracle » Sun Zfs Storage Appliance Kit » Version: 8.8.6
cpe:2.3:a:oracle:sun_zfs_storage_appliance_kit:8.8.6:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 28
cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 29
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.3
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.0
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.0.0 and before (<) 3.4.10
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.6.0 and before (<) 3.6.9
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.5.0 and before (<) 3.5.7
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 2.7.0 and before (<) 2.7.17
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.7.0 and before (<) 3.7.3
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2019-9636

Top countries where our scanners detected CVE-2019-9636

Top open port discovered on systems with this issue 80

IPs affected by CVE-2019-9636 356,770

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-9636!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-9636

EPSS FAQ

1.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-9636

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2019-9636

https://www.oracle.com/security-alerts/cpujan2020.html

Oracle Critical Patch Update Advisory - January 2020
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html

[SECURITY] [DLA 1835-1] python3.4 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3170

RHSA-2019:3170 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

[SECURITY] Fedora 28 Update: python35-3.5.7-1.fc28 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/

[SECURITY] Fedora 29 Update: python36-3.6.9-1.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0710

RHSA-2019:0710 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0997

RHSA-2019:0997 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/

[SECURITY] Fedora 30 Update: python3-3.7.2-8.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/

[SECURITY] Fedora 29 Update: python3-3.7.3-3.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190517-0001/

CVE-2019-9636 Python Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://usn.ubuntu.com/4127-2/

USN-4127-2: Python vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/

[SECURITY] Fedora 30 Update: python35-3.5.8-2.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/

[SECURITY] Fedora 28 Update: python34-3.4.10-1.fc28 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHBA-2019:0763

RHBA-2019:0763 - Bug Fix Advisory - Red Hat Customer Portal
Third Party Advisory
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html

urlsplit does not handle NFKC normalization — Python Security 0.0 documentation
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/

[SECURITY] Fedora 29 Update: python3-3.7.4-1.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html

[security-announce] openSUSE-SU-2019:1273-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/

[SECURITY] Fedora 31 Update: python35-3.5.8-2.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2980

RHSA-2019:2980 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html

[security-announce] openSUSE-SU-2019:1906-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/107400

Python CVE-2019-9636 Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2019:0902

RHSA-2019:0902 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://usn.ubuntu.com/4127-1/

USN-4127-1: Python vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/

[SECURITY] Fedora 29 Update: python34-3.4.10-3.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/

[SECURITY] Fedora 30 Update: python36-3.6.9-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/

[SECURITY] Fedora 30 Update: python34-3.4.10-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html

[security-announce] openSUSE-SU-2019:1371-1: important: Security update
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/

[SECURITY] Fedora 29 Update: python3-3.7.2-5.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/

[SECURITY] Fedora 29 Update: python34-3.4.10-1.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html

[security-announce] openSUSE-SU-2019:1580-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHBA-2019:0764

RHBA-2019:0764 - Bug Fix Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/errata/RHBA-2019:0959

RHBA-2019:0959 - Bug Fix Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

[security-announce] openSUSE-SU-2020:0086-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

[SECURITY] [DLA 1834-1] python2.7 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

[SECURITY] Fedora 29 Update: python35-3.5.7-1.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/

[SECURITY] Fedora 30 Update: python34-3.4.10-3.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/

[SECURITY] Fedora 29 Update: python35-3.5.8-2.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

[SECURITY] [DLA 2337-1] python2.7 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202003-26

Python: Multiple vulnerabilities (GLSA 202003-26) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0765

RHSA-2019:0765 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://bugs.python.org/issue36216

Issue 36216: CVE-2019-9636: urlsplit does not handle NFKC normalization - Python tracker
Issue Tracking;Patch;Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

[SECURITY] Fedora 30 Update: python35-3.5.7-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Release Notes;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0981

RHSA-2019:0981 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/python/cpython/pull/12201

bpo-36216: Add check for characters in netloc that normalize to separators by zooba · Pull Request #12201 · python/cpython · GitHub
Patch;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html

[SECURITY] [DLA 2280-1] python3.5 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/

[SECURITY] Fedora 30 Update: python3-3.7.3-3.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html

[security-announce] openSUSE-SU-2019:1282-1: important: Security update
Mailing List;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0806

RHSA-2019:0806 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/

[SECURITY] Fedora 30 Update: python3-3.7.4-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/

[SECURITY] Fedora 28 Update: python3-3.6.8-3.fc28 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory;Release Notes
https://access.redhat.com/errata/RHSA-2019:1467

RHSA-2019:1467 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-9636

Products affected by CVE-2019-9636

Threat overview for CVE-2019-9636

Exploit prediction scoring system (EPSS) score for CVE-2019-9636

CVSS scores for CVE-2019-9636

References for CVE-2019-9636