CVE-2019-9948

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-9948

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9948.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-9948

Aliases

PSF-2019-12

Downstream

ALPINE-CVE-2019-9948

DEBIAN-CVE-2019-9948

DLA-1834-1

DLA-1852-1

DLA-2280-1

DLA-2337-1

RHSA-2019:1700

RHSA-2019:2030

RHSA-2019:3335

RHSA-2019:3520

RHSA-2019:3725

RHSA-2020:1268

RHSA-2020:1346

RHSA-2020:1462

SUSE-SU-2019:0972-1

SUSE-SU-2019:14018-1

SUSE-SU-2019:1439-1

SUSE-SU-2020:0234-1

UBUNTU-CVE-2019-9948

USN-4127-1

USN-4127-2

USN-6891-1

openSUSE-SU-2019:1273-1

openSUSE-SU-2024:11202-1

Related

Published

2019-03-23T18:29:02Z

Modified

2025-10-21T02:34:23Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

urllib in Python 2.x through 2.7.16 supports the localfile: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('localfile:///etc/passwd') call.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

ff139a8a44d079a8261292044c82f128343fea09

Fixed

c2f86d86e6c8f5fd1ef602128b537a48f3f5c063