Python Unicode Encoding Handling Information Disclosure Vulnerability



A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.

The vulnerability exists because the affected software mishandles unicode encoding (with an incorrect netloc) during normal form KC (NFKC) normalization. An attacker could exploit this vulnerability by supplying a crafted URL to the affected
software to be incorrectly parsed. A successful exploit could allow the attacker to obtain sensitive information, such as cookies and authentication data.

Python has confirmed this vulnerability and updates are available.

Security Impact Rating: Critical

CVE: CVE-2019-9636

Source:: Cisco Multivendor Vulnerability Alerts