CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
83.9%
Severity: High
Date : 2019-11-03
CVE-ID : CVE-2019-9636
Package : python2
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-978
The package python2 before version 2.7.17-1 is vulnerable to
information disclosure.
Upgrade to 2.7.17-1.
The problem has been fixed upstream in version 2.7.17.
None.
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by
improper Handling of Unicode Encoding (with an incorrect netloc) during
NFKC normalization. A specially crafted URL could be incorrectly parsed
by urllib.parse.urlsplit and urllib.parse.urlparse to locate cookies or
authentication data and send that information to a different host than
when parsed correctly.
A remote attacker is able to craft a malicious URL and transfer private
data to a different host than expected.
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
https://security.archlinux.org/CVE-2019-9636
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
83.9%