关键信息摘要 漏洞ID: Bug 1718388 (CVE-2019-10160) CVE: CVE-2019-10160 CVE 原因: python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc 状态: CLOSED ERRATA 严重性: high 优先级: high 报告日期: 2019-06-07 15:43 UTC 最后修改日期: 2021-02-16 21:51 UTC 漏洞描述 漏洞描述: A security regression for CVE-2019-9636 was discovered in python's functions urllib.parse.urlsplit and urllib.parse.urlparse. Affected python versions ignore the user/password part before '@' in the netloc component of a URL, thus it still allows an attacker to exploit the vulnerability as in CVE-2019-9636. 受影响的版本: No upstream python version is affected by this regression but the vulnerable commit may already have been included downstream as part of the original fix for CVE-2019-9636. 外部参考: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html 漏洞提交: https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3 补丁和修补 上游补丁: https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e 修复状态: 这个问题已经在以下产品中得到了修复: - Red Hat Enterprise Linux 7 (RHSA-2019:1587) - Red Hat Enterprise Linux 6、7、7.4/EUS、7.5/EUS、7.6/EUS 软件集合(RHSA-2019:1700) - Red Hat Virtualization 4 for Red Hat Enterprise Linux 7(RHSA-2019:2437) 其他信息 关联问题: Duplicate of Bug 1732904, Blocks Bug 1718410, Depends on multiple Bugs(list not fully shown) 承认与声明: 此漏洞不影响Red Hat Enterprise Linux 5和6中提供的python版本,也不影响Red Hat Enterprise Linux 8中提供的版本。