CVE-2019-17514

2019-10-1213:15:10

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

70.4%

JSON

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated “finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,” one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

CPENameOperatorVersion
cpythoneq1.0.2
cpythoneq3.1.2rc1
cpythoneq3.3.5
cpythoneq2.7b1
cpythoneq1.5b2
cpythoneq3.3.0b2
cpythoneq3.6.0a3
cpythoneq3.2.1rc2
cpythoneq2.1c1
cpythoneq3.8.0a4

Name	Operator	Version
cpython	eq	1.0.2
cpython	eq	3.1.2rc1
cpython	eq	3.3.5
cpython	eq	2.7b1
cpython	eq	1.5b2
cpython	eq	3.3.0b2
cpython	eq	3.6.0a3
cpython	eq	3.2.1rc2
cpython	eq	2.1c1
cpython	eq	3.8.0a4