#VU35161 Input validation error in Python - CVE-2019-17514

Cybersecurity Help s.r.o.

Published: 2019-10-12 | Updated: 2020-08-08

Vulnerability identifier: #VU35161

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-17514

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Python: 3.6.0, 3.7.0, 3.8.0

External links
https://bugs.python.org/issue33275
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405
https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216
https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip
https://security.netapp.com/advisory/ntap-20191107-0005/
https://twitter.com/chris_bloke/status/1181997278136958976
https://twitter.com/LucasCMoore/status/1181615421922824192
https://usn.ubuntu.com/4428-1/
https://web.archive.org/web/20150822013622/
https://docs.python.org/3/library/glob.html
https://web.archive.org/web/20150906020027/
https://docs.python.org/2.7/library/glob.html
https://web.archive.org/web/20160309211341/
https://docs.python.org/3/library/glob.html
https://web.archive.org/web/20160526201356/
https://docs.python.org/2.7/library/glob.html
https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for python3.10

Ubuntu update for python2.7

Input validation error in Python