Python Security Regression Unicode Encoding Vulnerability



A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.

The vulnerability is due to a security regression by the affected software that mishandles unicode encoding that includes an incorrect netloc during normal form KC (NFKC) normalization. An attacker could exploit this vulnerability by supplying a crafted URL to the affected software to be parsed. A successful exploit could allow the attacker to obtain sensitive information, such as cookies and authentication data.

Python has confirmed this vulnerability and updates are available.

Security Impact Rating: Critical

CVE: CVE-2019-10160

Source:: Cisco Multivendor Vulnerability Alerts