CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2019-10160

CVSS 9.8v3.1pub. 2019-06-07upd. 2024-11-21

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Canonical Ubuntu

    OS
    Canonical
    12.0414.0416.0418.0419.04
  • Debian

    OS
    Debian
    8.09.0
  • Fedora Project Fedora

    OS
    Fedoraproject
    293031
  • Netapp Cloud Backup

    APP
    Netapp
    wszystkie wersje
  • Netapp Converged Systems Advisor Agent

    APP
    Netapp
    wszystkie wersje
  • Opensuse Leap

    OS
    Opensuse
    15.015.1
  • Python

    APP
    Python
    3.8.02.7.0 – 2.7.17 (bez)3.7.0 – 3.7.4 (bez)3.6.0 – 3.6.9 (bez)3.5.0 – 3.5.8 (bez)
  • Red Hat Enterprise Linux

    OS
    Redhat
    7.0
  • Red Hat Enterprise Linux Desktop

    OS
    Redhat
    7.0
  • Red Hat Enterprise Linux Eus

    OS
    Redhat
    7.6
  • Red Hat Enterprise Linux Server

    OS
    Redhat
    7.0
  • Red Hat Enterprise Linux Server Aus

    OS
    Redhat
    7.6
  • Red Hat Enterprise Linux Server Tus

    OS
    Redhat
    7.6
  • Red Hat Enterprise Linux Workstation

    OS
    Redhat
    7.0
  • Red Hat Virtualization

    APP
    Redhat
    4.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki