#VU35161 Input validation error in Python


Published: 2019-10-12 | Updated: 2020-08-08

Vulnerability identifier: #VU35161

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17514

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Python: 3.6.0, 3.7.0, 3.8.0

External links
http://bugs.python.org/issue33275
http://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380
http://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405
http://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216
http://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip
http://security.netapp.com/advisory/ntap-20191107-0005/
http://twitter.com/chris_bloke/status/1181997278136958976
http://twitter.com/LucasCMoore/status/1181615421922824192
http://usn.ubuntu.com/4428-1/
http://web.archive.org/web/20150822013622/
http://docs.python.org/3/library/glob.html
http://web.archive.org/web/20150906020027/
http://docs.python.org/2.7/library/glob.html
http://web.archive.org/web/20160309211341/
http://docs.python.org/3/library/glob.html
http://web.archive.org/web/20160526201356/
http://docs.python.org/2.7/library/glob.html
http://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for python2.7
Input validation error in Python