Directory Traversal
Affecting python2.7 package, versions <2.7.9-2+deb8u3
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
References
- BUGTRAQ
- CVE Details
- Debian Security Announcement
- Debian Security Tracker
- FEDORA
- FEDORA
- GENTOO
- GitHub PR
- MISC
- MISC
- MLIST
- MLIST
- MLIST
- MLIST
- Netapp Security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- Security Focus
- UBUNTU
- UBUNTU
- Ubuntu CVE Tracker
CVSS Score
9.1
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityNone
- CVE
- CVE-2019-9948
- CWE
- CWE-22
- Snyk ID
- SNYK-DEBIAN8-PYTHON27-341356
- Disclosed
- 23 Mar, 2019
- Published
- 23 Mar, 2019