Python Security Regression Unicode Encoding Vulnerability [CVE-2019-10160]

CVE Number – CVE-2019-10160

A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system. The vulnerability is due to a security regression by the affected software that mishandles unicode encoding that includes an incorrect netloc during normal form KC (NFKC) normalization. An attacker could exploit this vulnerability by supplying a crafted URL to the affected software to be parsed. A successful exploit could allow the attacker to obtain sensitive information, such as cookies and authentication data. Python has confirmed this vulnerability and updates are available.

Analysis

• To exploit this vulnerability, the attacker would need network access and the ability to submit crafted URLs to the affected software. These requirements could reduce the likelihood of a successful attack.

Safeguards

• Administrators are advised to apply the appropriate updates.
  
  Administrators are advised to allow only trusted users to have network access.
  
  Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
  
  Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
  
  Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
  
  Administrators are advised to monitor affected systems.

Vendor Announcements

• Python has released a security notice at the following link: urlsplit does not handle NFKC normalization (second fix)

Fixed Software

• Python has released a patch at the following link: bpo-36742: Corrects fix to handle decomposition in usernames