Description

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Remediation

References

CVE-2019-9948

Related Vulnerabilities

WordPress Plugin Advanced Dewplayer Directory Traversal (1.2)

WordPress Plugin Simple Ads Manager SQL Injection (2.9.4.116)

WordPress Plugin All in One SEO-Best WordPress SEO-Easily Improve SEO Rankings & Increase Traffic Cross-Site Scripting (3.2.6)

Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2008-0273)

WordPress Plugin Quick Page/Post Redirect Security Bypass (5.1.9)

Severity

Critical

Classification

CVE-2019-9948 CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Missing Update Known Vulnerabilities