CVE-2019-9948 (NVD)

2019-03-23

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Products Ubuntu_linux, Debian_linux, Fedora, Leap, Python, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_eus, Enterprise_linux_tus, Enterprise_linux_workstation
Type Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
First patch - None (likely due to unavailable code)
Patches https://github.com/python/cpython/pull/11842
Links http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/
https://security.netapp.com/advisory/ntap-20190404-0004/
https://access.redhat.com/errata/RHSA-2019:1700