CVE-2019-9948
CVE-2019-9948
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.htmlhttp://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.htmlhttps://access.redhat.com/errata/RHSA-2019:1700https://access.redhat.com/errata/RHSA-2019:2030https://access.redhat.com/errata/RHSA-2019:3335https://access.redhat.com/errata/RHSA-2019:3520https://bugs.python.org/issue35907https://github.com/python/cpython/pull/11842https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2019/06/msg00022.htmlhttps://lists.debian.org/debian-lts-announce/2019/07/msg00011.html