Exposed dangerous method or function in Python - CVE-2019-9948
Published: June 19, 2019 / Updated: July 20, 2020
Vulnerability identifier: #VU18827
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2019-9948
CWE-ID: CWE-749
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Python.org
Affected software:
Python
Python
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to urllib implementation in Python 2.x supports the local_file: scheme. An attacker with ability to control input data, such as URL, can bypass protection mechanisms that blacklist file: URIs and view contents of arbitrary file on the system.
PoC:
urllib.urlopen('local_file:///etc/passwd') How to mitigate CVE-2019-9948
Install update from vendor's website.
Sources
- https://bugs.python.org/issue35907
- https://github.com/python/cpython/pull/11842
- https://github.com/python/cpython/commit/4fe82a8eef7aed60de05bfca0f2c322730ea921e
- https://github.com/python/cpython/commit/4f06dae5d8d4400ba38d8502da620f07d4a5696e
- https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b