Python Unicode Encoding Handling Information Disclosure Vulnerability [CVE-2019-9636]

CVE Number – CVE-2019-9636

A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.The vulnerability exists because the affected software mishandles unicode encoding (with an incorrect netloc) during normal form KC (NFKC) normalization. An attacker could exploit this vulnerability by supplying a crafted URL to the affected software to be incorrectly parsed. A successful exploit could allow the attacker to obtain sensitive information, such as cookies and authentication data.Python has confirmed this vulnerability and updates are available.

Analysis

• To exploit this vulnerability, the attacker would need network access and the ability to submit crafted URLs to the affected software. These requirements could reduce the likelihood of a successful attack.
  

Safeguards

• Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.Administrators can help protect affected systems from external attacks by using a solid firewall strategy.Administrators are advised to monitor affected systems.

Vendor Announcements

• Python has addressed this security vulnerability in a issue at the following link: Issue 36216
  

Fixed Software

• Python has released a patch at the following link: Patch