NVD - CVE-2019-10160

NOTICE UPDATED - May, 29th 2024

The NVD has a new announcement page with status updates, news, and how to stay connected!

CVE-2019-10160 Detail

Modified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Description

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nist CVSS score does not match with CNA score

CNA: Red Hat, Inc.

Base Score: 9.8 CRITICAL

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: 5.0 MEDIUM

Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1587	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1700	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2437	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160	Issue Tracking Patch Third Party Advisory
https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09	Patch Third Party Advisory
https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e	Patch Third Party Advisory
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de	Patch Third Party Advisory
https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468	Patch Third Party Advisory
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html	Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20190617-0003/	Third Party Advisory
https://usn.ubuntu.com/4127-1/	Third Party Advisory
https://usn.ubuntu.com/4127-2/	Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-522	Insufficiently Protected Credentials	NIST
CWE-172	Encoding Error	Red Hat, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

31 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2019-10160
NVD Published Date:
06/07/2019
NVD Last Modified:
02/12/2023
Source:
Red Hat, Inc.

CVE-2019-10160 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by Red Hat, Inc. 5/14/2024 1:33:28 AM

CVE Modified by Red Hat, Inc. 2/12/2023 6:33:11 PM

CVE Modified by Red Hat, Inc. 2/02/2023 4:18:30 PM

Modified Analysis by NIST 7/05/2022 2:55:55 PM

CPE Deprecation Remap by NIST 1/06/2021 11:11:17 AM

CPE Deprecation Remap by NIST 1/06/2021 11:09:34 AM

CVE Modified by Red Hat, Inc. 8/22/2020 1:15:16 PM

CVE Modified by Red Hat, Inc. 7/29/2020 8:15:16 AM

CVE Modified by Red Hat, Inc. 7/15/2020 8:15:11 AM

CVE Modified by Red Hat, Inc. 1/21/2020 5:15:14 PM

CVE Modified by Red Hat, Inc. 11/10/2019 10:15:10 PM

CVE Modified by Red Hat, Inc. 11/09/2019 10:15:10 PM

CVE Modified by Red Hat, Inc. 11/09/2019 8:15:11 PM

CPE Deprecation Remap by NIST 10/25/2019 7:54:02 AM

CVE Modified by Red Hat, Inc. 10/09/2019 7:44:27 PM

CVE Modified by Red Hat, Inc. 9/19/2019 12:15:10 AM

CVE Modified by Red Hat, Inc. 9/18/2019 11:15:10 PM

CVE Modified by Red Hat, Inc. 9/18/2019 1:15:15 PM

CVE Modified by Red Hat, Inc. 9/10/2019 12:15:11 PM

CVE Modified by Red Hat, Inc. 8/15/2019 11:15:12 AM

CVE Modified by Red Hat, Inc. 8/12/2019 10:15:13 AM

CVE Modified by Red Hat, Inc. 8/05/2019 12:15:10 AM

CVE Modified by Red Hat, Inc. 7/28/2019 11:15:10 PM

CVE Modified by Red Hat, Inc. 7/12/2019 4:15:11 AM

CVE Modified by Red Hat, Inc. 7/11/2019 11:15:10 PM

CVE Modified by Red Hat, Inc. 7/08/2019 1:15:10 PM

CVE Modified by Red Hat, Inc. 6/25/2019 2:15:09 AM

CVE Modified by Red Hat, Inc. 6/20/2019 7:15:09 PM

CVE Modified by Red Hat, Inc. 6/17/2019 3:15:11 PM

Initial Analysis by NIST 6/11/2019 1:32:26 PM

CVE Modified by Red Hat, Inc. 6/07/2019 5:29:01 PM

Quick Info