CVE-2019-9636
📋 TL;DR
This vulnerability in Python's urllib.parse module allows attackers to craft URLs that appear to belong to one domain but are parsed as another due to Unicode encoding issues during NFKC normalization. This can cause sensitive information like cookies and authentication credentials to be sent to unintended hosts. Affected are Python applications using urllib.parse.urlsplit or urlparse with Python versions 2.7.x through 2.7.16 and 3.x through 3.7.2.
💻 Affected Systems
- Python
- Applications using Python's urllib.parse module
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Leap by Opensuse
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal authentication credentials, session cookies, or other sensitive data from users by tricking them into visiting malicious URLs, leading to account compromise and data breaches.
Likely Case
Credential harvesting attacks where users click on specially crafted links that appear legitimate but redirect authentication data to attacker-controlled servers.
If Mitigated
Limited impact if applications use additional validation for hostnames or implement strict same-origin policies for sensitive data.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious URL) but is straightforward once the URL is crafted. The vulnerability is well-documented and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 2.7.17+, 3.5.10+, 3.6.10+, 3.7.3+
Vendor Advisory: https://www.python.org/downloads/
Restart Required: Yes
Instructions:
1. Identify Python version with 'python --version'. 2. Upgrade to patched version using package manager (e.g., 'apt-get upgrade python' on Debian/Ubuntu, 'yum update python' on RHEL/CentOS). 3. Restart all Python applications and services.
🔧 Temporary Workarounds
Validate hostnames manually
allImplement custom validation for hostnames in URL parsing to reject suspicious Unicode characters.
Use alternative URL parsing libraries
allReplace urllib.parse with libraries like furl or yarl that are not affected.
🧯 If You Can't Patch
- Implement strict input validation to reject URLs with non-ASCII characters in hostnames.
- Use web application firewalls (WAFs) to block requests with suspicious Unicode patterns in URLs.
🔍 How to Verify
Check if Vulnerable:
Run 'python --version' and compare against affected versions. Test with a crafted URL containing Unicode characters in the netloc.Check Version:
python --versionVerify Fix Applied:
After patching, test URL parsing with the same crafted URLs to ensure proper hostname resolution.📡 Detection & Monitoring
Log Indicators:
- Unusual Unicode characters in URL hostnames in access logs
- Requests to unexpected domains following URL parsing
Network Indicators:
- Outbound connections to suspicious domains after URL processing
- Unexpected authentication attempts to external servers
SIEM Query:
search 'url_parse' OR 'urllib' AND ('unicode' OR 'NFKC') in application logs🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://www.securityfocus.com/bid/107400
- https://access.redhat.com/errata/RHBA-2019:0763
- https://access.redhat.com/errata/RHBA-2019:0764
- https://access.redhat.com/errata/RHBA-2019:0959
- https://access.redhat.com/errata/RHSA-2019:0710
- https://access.redhat.com/errata/RHSA-2019:0765
- https://access.redhat.com/errata/RHSA-2019:0806
- https://access.redhat.com/errata/RHSA-2019:0902
- https://access.redhat.com/errata/RHSA-2019:0981
- https://access.redhat.com/errata/RHSA-2019:0997
- https://access.redhat.com/errata/RHSA-2019:1467
- https://access.redhat.com/errata/RHSA-2019:2980
- https://access.redhat.com/errata/RHSA-2019:3170
- https://bugs.python.org/issue36216
- https://github.com/python/cpython/pull/12201
- https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/
- https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
- https://security.gentoo.org/glsa/202003-26
- https://security.netapp.com/advisory/ntap-20190517-0001/
- https://usn.ubuntu.com/4127-1/
- https://usn.ubuntu.com/4127-2/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://www.securityfocus.com/bid/107400
- https://access.redhat.com/errata/RHBA-2019:0763
- https://access.redhat.com/errata/RHBA-2019:0764
- https://access.redhat.com/errata/RHBA-2019:0959
- https://access.redhat.com/errata/RHSA-2019:0710
- https://access.redhat.com/errata/RHSA-2019:0765
- https://access.redhat.com/errata/RHSA-2019:0806
- https://access.redhat.com/errata/RHSA-2019:0902
- https://access.redhat.com/errata/RHSA-2019:0981
- https://access.redhat.com/errata/RHSA-2019:0997
- https://access.redhat.com/errata/RHSA-2019:1467
- https://access.redhat.com/errata/RHSA-2019:2980
- https://access.redhat.com/errata/RHSA-2019:3170
- https://bugs.python.org/issue36216
- https://github.com/python/cpython/pull/12201
- https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/
- https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
- https://security.gentoo.org/glsa/202003-26
- https://security.netapp.com/advisory/ntap-20190517-0001/
- https://usn.ubuntu.com/4127-1/
- https://usn.ubuntu.com/4127-2/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
