// For flags

CVE-2019-17514

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

La biblioteca library/glob.html en la documentación de Python versiones 2 y 3 antes del 2016, presenta información potencialmente engañosa sobre si ocurre la clasificación, como es demostrado por los resultados irreproducibles de la investigación del cáncer. NOTA: los efectos de esta documentación cruzan dominios de aplicación y, por lo tanto, es probable que el código relevante para la seguridad en otros lugares este afectado. Este problema no es un error de implementación de Python, y no existen reportes de que los investigadores de RMN confiaran específicamente en la biblioteca library/glob.html. En otras palabras, debido a que la documentación más antigua declara "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," uno podría haber inferido incorrectamente que la clasificación que ocurre en un shell de Unix también se presentó para glob.glob. Existe una solución alternativa en las versiones más nuevas de Willoughby nmr-data_compilation-p2.py y nmr-data_compilation-p3.py, que llaman a la función sort() directamente.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-10-12 CVE Reserved
  • 2019-10-12 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • 2024-10-05 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-682: Incorrect Calculation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.6.0
Search vendor "Python" for product "Python" and version "3.6.0"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.7.0
Search vendor "Python" for product "Python" and version "3.7.0"
-
Affected
Python
Search vendor "Python"
Python
Search vendor "Python" for product "Python"
3.8.0
Search vendor "Python" for product "Python" and version "3.8.0"
-
Affected