Python Unicode Translation Vulnerability

Python.org have released a security update to a address a network translation vulnerability in two Python components. A remote unauthenticated attacker could exploit this vulnerability obtain sensitive information from an affected system.

Threat ID:: CC-2979
Category:: Exploit
Threat Severity:: Low
Threat Vector:
Published:: 14 March 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Threat details

The vulnerability is a result of errors in the way the urllib.parse.urlsplit and urllib.parse.urlparse Python components handle URLs encoded using Punycode/IDNA. When attempting to decompose these URLs to Unicode (in NFKC mode) certain URL characters may introduce new segments into the translated URL. An attacker could exploit this using a specially crafted URL to access cookie or authentication data.

For further information:

Remediation steps

Type	Step
	Users and administrators are encouraged to review Python's Issue Tracker Issue 36216 and apply the necessary updates. Please note that these components are widely used in a number of other vendors platforms and systems.

Type

Step

Users and administrators are encouraged to review Python's Issue Tracker Issue 36216 and apply the necessary updates.

Please note that these components are widely used in a number of other vendors platforms and systems.

Last edited: 14 February 2020 2:47 pm