CVE-2019-17514

{"id": "CVE-2019-17514", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-10-12T13:15:10.790", "references": [{"url": "https://bugs.python.org/issue33275", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20191107-0005/", "source": "cve@mitre.org"}, {"url": "https://twitter.com/LucasCMoore/status/1181615421922824192", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/chris_bloke/status/1181997278136958976", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/4428-1/", "source": "cve@mitre.org"}, {"url": "https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies", "tags": ["Press/Media Coverage", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-682"}, {"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly."}, {"lang": "es", "value": "La biblioteca library/glob.html en la documentaci\u00f3n de Python versiones 2 y 3 antes del 2016, presenta informaci\u00f3n potencialmente enga\u00f1osa sobre si ocurre la clasificaci\u00f3n, como es demostrado por los resultados irreproducibles de la investigaci\u00f3n del c\u00e1ncer. NOTA: los efectos de esta documentaci\u00f3n cruzan dominios de aplicaci\u00f3n y, por lo tanto, es probable que el c\u00f3digo relevante para la seguridad en otros lugares este afectado. Este problema no es un error de implementaci\u00f3n de Python, y no existen reportes de que los investigadores de RMN confiaran espec\u00edficamente en la biblioteca library/glob.html. En otras palabras, debido a que la documentaci\u00f3n m\u00e1s antigua declara \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" uno podr\u00eda haber inferido incorrectamente que la clasificaci\u00f3n que ocurre en un shell de Unix tambi\u00e9n se present\u00f3 para glob.glob. Existe una soluci\u00f3n alternativa en las versiones m\u00e1s nuevas de Willoughby nmr-data_compilation-p2.py y nmr-data_compilation-p3.py, que llaman a la funci\u00f3n sort() directamente."}], "lastModified": "2020-07-27T18:15:12.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:python:3.6.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D1ED4F49-515C-4848-9517-0793361EE8D7"}, {"criteria": "cpe:2.3:a:python:python:3.7.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BFDF292-ACD2-4225-95B3-51343D2C5E85"}, {"criteria": "cpe:2.3:a:python:python:3.8.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "707791F5-F864-4DE1-8E54-58A00E17B85F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}