CVE-2019-17514 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-17514 PUBLISHED

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

EPSS 1.71% · 82.2th percentile

Risk Scores

EPSS Score

1.71%

82.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:20.04:LTS	python2.7	2.7.18-1~20.04, 0, 2.7.17~rc1-1
Ubuntu:16.04:LTS	python3.5	3.5.2-2ubuntu0~16.04.4, 3.5.2-2ubuntu0~16.04.10, 3.5.2-2ubuntu0~16.04.9
Ubuntu:Pro:14.04:LTS	python3.5	3.5.2-2ubuntu0~16.04.4~14.04.1, 0
Ubuntu:16.04:LTS	python2.7	2.7.11-7ubuntu1, 2.7.12-1~16.04, 2.7.12-1ubuntu0~16.04.1
Ubuntu:18.04:LTS	python3.8	0
Ubuntu:18.04:LTS	python3.6	3.6.5~rc1-1, 3.6.4-3build1, 3.6.4-2
Ubuntu:20.04:LTS	python3.8	3.8.2-1ubuntu1.1, 3.8.0-3, 3.8.0-2
Ubuntu:Pro:18.04:LTS	python3.7	3.7.5-2~18.04, 0, 3.7.0~a2-1
Ubuntu:Pro:14.04:LTS	python3.4	3.4.3-1ubuntu1~14.04.6, 3.4.3-1ubuntu1~14.04.5, 3.4.3-1ubuntu1~14.04.4
Ubuntu:Pro:14.04:LTS	python2.7	2.7.6-4ubuntu1, 0, 2.7.6-8ubuntu0.6+esm5
Ubuntu:18.04:LTS	python2.7	2.7.14-2ubuntu2, 2.7.14-4, 2.7.14-6
Ubuntu:Pro:22.04:LTS	python2.7	0, 2.7.18-8build1, 2.7.18-13ubuntu1.2+esm2

Timeline

Oct 12, 2019 CVE Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Jan 2, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2019-17514 third-party-advisory
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380 third-party-advisory
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405 third-party-advisory
https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216 third-party-advisory
https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip third-party-advisory
https://twitter.com/chris_bloke/status/1181997278136958976 third-party-advisory
https://twitter.com/LucasCMoore/status/1181615421922824192 third-party-advisory
https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html third-party-advisory
https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html third-party-advisory
https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html third-party-advisory
https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html third-party-advisory
https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies third-party-advisory
https://ubuntu.com/security/notices/USN-4428-1 vendor-advisory
https://ubuntu.com/security/notices/USN-4754-3 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-17514 third-party-advisory
https://ubuntu.com/security/notices/USN-6891-1 vendor-advisory

Open in Interactive Console →