CVE ID:

CVE-2019-9948

Details:

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

References:

BID:107549
:http://www.securityfocus.com/bid/107549
:https://security.netapp.com/advisory/ntap-20190404-0004/
:https://bugs.python.org/issue35907
:https://github.com/python/cpython/pull/11842
MLIST:[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update
:https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
MLIST:[debian-lts-announce] 20190711 [SECURITY] [DLA 1852-1] python3.4 security update
:https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html
REDHAT:RHSA-2019:1700
:https://access.redhat.com/errata/RHSA-2019:1700
SUSE:openSUSE-SU-2019:1273
:http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html
SUSE:openSUSE-SU-2019:1580
:http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html

ZeroDayLab Assigned Tags:

BYPASS ACCESS CONTROL
REMOTE
SECURITY BYPASS